GitHub Advisory DatabaseGHSA-6M93-343M-3JRCCross-site Scripting in HTML2PDF
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
68.0%
An issue was discovered in Spipu HTML2PDF before 5.2.4. Attackers can trigger deserialization of arbitrary data via the injection of a malicious <link> tag in the converted HTML document.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| spipu/html2pdf | lt | 5.2.4 |
References
github.com/advisories/GHSA-6m93-343m-3jrc
github.com/spipu/html2pdf/blob/master/CHANGELOG.md
github.com/spipu/html2pdf/commit/100a4d509abf8550765cf0e0da83e83abb422585
github.com/spipu/html2pdf/commit/2e6bab9a2afe9cfd4d3c3038da64d8ad74e41d7f
github.com/spipu/html2pdf/releases/tag/v5.2.4
nvd.nist.gov/vuln/detail/CVE-2021-45394
www.synacktiv.com/sites/default/files/2022-01/html2pdf_ssrf_deserialization.pdf
Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
68.0%