Browsershot 3.57.2 - Server Side XSS to LFR via URL
Summary
| Name | Browsershot 3.57.2 - Server Side XSS to LFR via URL |
| Code name | |
| Product | Browsershot |
| Affected versions | Version 3.57.2 |
| State | Public |
| Release date | 2022-10-28 |
Vulnerability
| Kind | Server Side XSS |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVSSv3.1 Base Score | 7.5 |
| Exploit available | Yes |
| CVE ID(s) |
Description
Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method.
Vulnerability
This vulnerability occurs because the application does not validate the URL protocol passed to the Browsershot::url method. Thanks to this, an attacker can point to internal server files, which will be reflected in the PDF that will be generated.
Exploitation
Our security policy
We have reserved the CVE-2022-41706 to refer to these issues from now on.
System Information
-
Version: Browsershot 3.57.2
-
Operating System: GNU/Linux
Mitigation
An updated version of Browsershot is available at the vendor page.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://github.com/spatie/browsershot
Release https://github.com/spatie/browsershot/releases/tag/3.57.3
Timeline
2022-10-25
Vulnerability discovered.
2022-10-25
Vendor contacted.
2022-10-25
Vendor replied acknowledging the report.
2022-10-25
Vendor Confirmed the vulnerability.
2022-10-25
Vulnerability patched.
2022-10-28
Public Disclosure.
