Ahmad Shauqi

**Name of the Vulnerable Software and Affected Versions** spatie/browsershot versions prior to 5.0.3 **Description** The issue is related to improper input validation due to incorrect URL validation through the `setUrl` method. An attacker can exploit this by utilizing `view-source:file://`, allowing for arbitrary file reading on a local file. This is a bypass of a previous fix. **Recommendations** For versions prior to 5.0.3, update to version 5.0.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `setUrl` method to minimize the risk of exploitation. Avoid using the `view-source:file://` protocol in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** iTop versions prior to 2.7.10 iTop versions prior to 3.0.4 iTop versions prior to 3.1.1 iTop versions prior to 3.2.0 **Description** iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted access. Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module. The `pages/exec.php` script has been fixed to limit execution of PHP files only. Other file types won't be retrieved and exposed. **Recommendations** For versions prior to 2.7.10, update to version 2.7.10 or later. For versions prior to 3.0.4, update to version 3.0.4 or later. For versions prior to 3.1.1, update to version 3.1.1 or later. For versions prior to 3.2.0, update to version 3.2.0 or later. As a temporary workaround, consider restricting access to the `env-production` folder to minimize the risk of exploitation.