Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method.
{ "nvd_published_at": "2022-11-25T18:15:00Z", "cwe_ids": [ "CWE-20" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-12-02T22:18:57Z" }