Lucene search

SnykCVE-2020-7790

HistoryDec 11, 2020 - 11:15 a.m.

CVE-2020-7790

2020-12-1111:15:11

CWE-22

snyk

web.nvd.nist.gov

cve

2020

7790

spatie

browsershot

package

pdf

file protocol

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

44.0%

JSON

This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.

Affected configurations

Nvd

Node

spatiebrowsershot

VendorProductVersionCPE
spatiebrowsershot*cpe:2.3:a:spatie:browsershot:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
spatie	browsershot	*	cpe:2.3:a:spatie:browsershot::::::::

CNA Affected

[
  {
    "product": "spatie/browsershot",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "0.0.0",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/spatie/browsershot/issues/441%23issue-735049731

snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-1037064

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

44.0%

JSON

Related for CVE-2020-7790