Arbitrary File Read in spatie/browsershot

Do your applications use this vulnerable package? Test your applications

Overview

spatie/browsershot is a library for converting a webpage to an image or pdf using headless Chrome.

Affected versions of this package are vulnerable to Arbitrary File Read. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.

Remediation

There is no fixed version for spatie/browsershot.

References

GitHub Issue

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

Low
Integrity

None
Availability

None

Credit: Anand
CVE: CVE-2020-7790
CWE: CWE-22
Snyk ID: SNYK-PHP-SPATIEBROWSERSHOT-1037064
Disclosed: 04 Nov, 2020
Published: 13 Dec, 2020

Arbitrary File Read
Affecting spatie/browsershot package, versions >=0.0.0

Overview

Remediation

References

CVSS Score

Arbitrary File Read Affecting spatie/browsershot package, versions >=0.0.0

Overview

Remediation

References

Arbitrary File Read
Affecting spatie/browsershot package, versions >=0.0.0