We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-21549



Description

Versions of the package spatie/browsershot before 5.0.3 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method. An attacker can exploit this vulnerability by utilizing view-source:file://, which allows for arbitrary file reading on a local file. **Note:** This is a bypass of the fix for [CVE-2024-21544](https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8496745).

Reserved 2023-12-22 | Published 2024-12-20 | Updated 2024-12-20 | Assigner snyk


HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:PHIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P

Problem types

Improper Input Validation

Credits

Ahmad Shauqi

References

security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533023

github.com/spatie/browsershot/discussions/906

github.com/...ommit/f791ce0ae8dd99367dbfa30588ee31e1196e1728

cve.org (CVE-2024-21549)

nvd.nist.gov (CVE-2024-21549)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-21549

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.