CVE-2022-43983: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

November 25, 2022 (updated November 30, 2022)

Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL’s that use the file:// protocol.

References

fluidattacks.com/advisories/khalid/
github.com/advisories/GHSA-82h9-v8vh-mfpq
github.com/spatie/browsershot/commit/92cf16fc098211731f80d21687abeafbe2c457ad
nvd.nist.gov/vuln/detail/CVE-2022-43983

Detect and mitigate CVE-2022-43983 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →