CVE-2022-41706: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

November 25, 2022 (updated December 2, 2022)

Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method.

References

fluidattacks.com/advisories/eminem/
github.com/advisories/GHSA-8c2c-jxwj-jqgf
github.com/spatie/browsershot/
nvd.nist.gov/vuln/detail/CVE-2022-41706

Detect and mitigate CVE-2022-41706 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →