← back
CVE-2022-43984

Browsershot 3.57.3 - Server Side XSS to LFR via HTML

CVSS 8.2 HIGHEPSS 0.6%CWE-79
Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does not contain URLs that use the file:// protocol.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Affected products
n/a · Browsershot

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://fluidattacks.com/advisories/malone/https://github.com/spatie/browsershot/