CVE-2022-41706

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions Browsershot version 3.57.2

Description The issue allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method.

Recommendations For Browsershot version 3.57.2, consider validating the URL protocol passed to the Browsershot::url method to prevent exploitation. As a temporary workaround, restrict access to the Browsershot::url method until a patch is available.

Exploit

Fix

XSS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-20

Related Identifiers

CVE-2022-41706

GHSA-8C2C-JXWJ-JQGF

Affected Products

Browsershot

CVE-2022-41706

Weakness Enumeration

Related Identifiers

Affected Products

References · 8