PT-2024-27353 · Playright+1 · Playright+1
Timoxoszt
·
Published
2024-06-05
·
Updated
2024-06-11
·
CVE-2024-37169
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
@jmondi/url-to-png versions prior to 2.0.3
Description
The issue allows for arbitrary file read if a threat actor uses Playright's screenshot feature to exploit the file wrapper. No known workarounds are available aside from upgrading. The utility requires input URLs to be of protocol
http or https to mitigate this issue.Recommendations
For versions prior to 2.0.3, upgrade to version 2.0.3 or later, which requires input URLs to be of protocol
http or https, to resolve the issue. As a temporary workaround, consider restricting the use of the Playright's screenshot feature until the upgrade is applied.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Jmondi/Url-To-Png
Playright