Downloads Resources over HTTP in headless-browser-lite

2019-02-18T23:56:58
ID GHSA-G95J-P8F6-PWH4
Type github
Reporter GitHub Advisory Database
Modified 2020-08-31T18:15:40

Description

Affected versions of headless-browser-lite insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running headless-browser-lite.

Recommendation

Update to version 2015.4.18-a or later.