We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-21544



Description

Versions of the package spatie/browsershot before 5.0.1 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method. An attacker can exploit this vulnerability by using leading whitespace (%20) before the file:// protocol, resulting in Local File Inclusion, which allows the attacker to read sensitive files on the server.

Reserved 2023-12-22 | Published 2024-12-13 | Updated 2024-12-16 | Assigner snyk


HIGH: 7.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:PHIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P

Problem types

Improper Input Validation

Credits

Muhammad Firdaus Amran

References

security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8496745

github.com/...1b9977d8df570c67/src/Browsershot.php#L258-L269

github.com/...ommit/fae8396641b961f62bd756920b14f01a4391296e

cve.org (CVE-2024-21544)

nvd.nist.gov (CVE-2024-21544)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-21544

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.