GHSA-6q49-35h6-rq2p

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-6q49-35h6-rq2p/GHSA-6q49-35h6-rq2p.json
Aliases
  • CVE-2022-43984
Published
2022-11-25T18:30:25Z
Modified
2023-02-03T05:10:23.944509Z
Details

Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does not contain URLs that use the file:// protocol.

References

Affected packages

Packagist / spatie/browsershot

spatie/browsershot

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
3.57.4

Affected versions

0.*

0.1.0
0.1.1
0.1.2
0.1.3

1.*

1.0.0
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0
1.4.0
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.6.0
1.7.0
1.8.0
1.9.0
1.9.1

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.1.0
2.2.0
2.3.0
2.4.0
2.4.1
2.4.2

3.*

3.0.0
3.1.0
3.10.0
3.11.0
3.11.1
3.12.0
3.13.0
3.14.0
3.14.1
3.15.0
3.16.0
3.16.1
3.17.0
3.18.0
3.19.0
3.2.0
3.2.1
3.20.0
3.20.1
3.22.0
3.22.1
3.23.0
3.23.1
3.24.0
3.25.0
3.25.1
3.26.0
3.26.1
3.26.2
3.26.3
3.27.0
3.29.0
3.3.0
3.3.1
3.30.0
3.31.0
3.31.1
3.32.0
3.32.1
3.32.2
3.33.0
3.33.1
3.34.0
3.35.0
3.36.0
3.37.0
3.37.1
3.37.2
3.38.0
3.39.0
3.4.0
3.40.0
3.40.1
3.40.2
3.40.3
3.41.0
3.41.1
3.41.2
3.42.0
3.44.0
3.44.1
3.45.0
3.46.0
3.47.0
3.48.0
3.49.0
3.5.0
3.50.0
3.50.1
3.50.2
3.51.0
3.52.0
3.52.1
3.52.2
3.52.3
3.52.4
3.52.5
3.52.6
3.53.0
3.54.0
3.55.0
3.56.0
3.57.0
3.57.1
3.57.2
3.57.3
3.6.0
3.7.0
3.8.0
3.8.1
3.9.0