CVE-2022-43983: Browsershot 3.57.2 - Server Side XSS to LFR via HTML | Advisories | Fluid Attacks

1. Home
2. Advisories
3. Browsershot 3.57.2 Server Side XSS to LFR via HTML

Summary

Name

Browsershot 3.57.2 - Server Side XSS to LFR via HTML

Code name

Khalid

Product

Browsershot

Affected versions

Version 3.57.2

State

Public

Release date

2022-10-28

Vulnerability

Kind

Server Side XSS

Rule

425. Server Side XSS

Remote

Yes

CVSSv3 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSSv3 Base Score

7.5

Exploit available

Yes

CVE ID(s)

CVE-2022-43983

Description

Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL’s that use the file:// protocol.

Vulnerability

This vulnerability occurs because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL’s that use the file:// protocol.

Exploitation

Our security policy

We have reserved the CVE-2022-43983 to refer to these issues from now on.

• https://fluidattacks.com/advisories/policy/

System Information

• Version: Browsershot 3.57.2

• Operating System: GNU/Linux

Mitigation

An updated version of Browsershot is available at the vendor page.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks’ Offensive Team.

References

Vendor page https://github.com/spatie/browsershot

Release https://github.com/spatie/browsershot/releases/tag/3.57.3

Timeline

2022-10-25

Vulnerability discovered.

2022-10-25

Vendor contacted.

2022-10-25

Vendor replied acknowledging the report.

2022-10-25

Vendor Confirmed the vulnerability.

2022-10-25

Vulnerability patched.

2022-10-28

Public Disclosure.