Anand Namana

**Name of the Vulnerable Software and Affected Versions** jsreport-chrome-pdf versions prior to 1.10.0 **Description** The issue affects the jsreport-chrome-pdf package. **Recommendations** For versions prior to 1.10.0, update to version 1.10.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** phantom-html-to-pdf versions prior to 0.6.1 **Description** The issue affects the phantom-html-to-pdf package, allowing for potential exploitation. Technical details about exploitation include the use of the `conversion` function from the "phantom-html-to-pdf" module, where setting `allowLocalFilesAccess` to `false` does not prevent access to local files. An example exploit uses the `html` parameter with a `document.write` statement to access the `c:/windows/win.ini` file, demonstrating the vulnerability. **Recommendations** For versions prior to 0.6.1, update to version 0.6.1 or later to resolve the issue. As a temporary workaround, consider setting `allowLocalFilesAccess` to `true` and implementing additional validation on the `html` parameter to prevent malicious access to local files. However, updating to a fixed version is the recommended solution.