CVE-2022-43984

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions Browsershot version 3.57.3

Description The issue allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does not contain URLs that use the file:// protocol.

Recommendations For Browsershot version 3.57.3, consider validating JS content imported from external sources to prevent the use of file:// protocol URLs in the Browsershot::html method until a patch is available. As a temporary workaround, restrict the use of the Browsershot::html method with external JS content to minimize the risk of exploitation.

Exploit

Fix

XSS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-20

Related Identifiers

CVE-2022-43984

GHSA-6Q49-35H6-RQ2P

Affected Products

Browsershot

CVE-2022-43984

Weakness Enumeration

Related Identifiers

Affected Products

References · 8