CVE-2022-43984: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

November 25, 2022 (updated December 2, 2022)

Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does not contain URLs that use the file:// protocol.

References

fluidattacks.com/advisories/malone/
github.com/advisories/GHSA-6q49-35h6-rq2p
nvd.nist.gov/vuln/detail/CVE-2022-43984

Detect and mitigate CVE-2022-43984 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →