CVE-2020-7763

Name of the Vulnerable Software and Affected Versions phantom-html-to-pdf versions prior to 0.6.1

Description The issue affects the phantom-html-to-pdf package, allowing for potential exploitation. Technical details about exploitation include the use of the conversion function from the "phantom-html-to-pdf" module, where setting allowLocalFilesAccess to false does not prevent access to local files. An example exploit uses the html parameter with a document.write statement to access the c:/windows/win.ini file, demonstrating the vulnerability.

Recommendations For versions prior to 0.6.1, update to version 0.6.1 or later to resolve the issue. As a temporary workaround, consider setting allowLocalFilesAccess to true and implementing additional validation on the html parameter to prevent malicious access to local files. However, updating to a fixed version is the recommended solution.