CVE-2022-43983

Source
https://cve.org/CVERecord?id=CVE-2022-43983
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-43983.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-43983
Aliases
Published
2022-11-25T00:00:00Z
Modified
2026-07-15T01:49:15.604086154Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N CVSS Calculator
Summary
Browsershot 3.57.2 - Server Side XSS to LFR via HTML
Details

Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL's that use the file:// protocol.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/43xxx/CVE-2022-43983.json",
    "cna_assigner": "Fluid Attacks"
}
References

Affected packages

Git / github.com/spatie/browsershot

Affected ranges

Type
GIT
Repo
https://github.com/spatie/browsershot
Events
Database specific
{
    "cpe": "cpe:2.3:a:spatie:browsershot:3.57.2:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "3.57.2"
        },
        {
            "last_affected": "3.57.2"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_STRING"
    ]
}

Affected versions

3.*
3.57.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-43983.json"