CVE-2017-18352

Error reporting within Rendertron 1.0.0 allows reflected Cross Site Scripting XSS from invalid URLs...

CVE-2017-18353

Rendertron 1.0.0 includes an ah/stop route to shutdown the Chrome instance responsible for serving render requests to all users. Visiting this route with a GET request allows any unauthorized remote attacker to disable the core service of the application...

CVE-2017-18352

Error reporting within Rendertron 1.0.0 allows reflected Cross Site Scripting XSS from invalid URLs...

Design/Logic Flaw

Rendertron 1.0.0 allows for alternative protocols such as 'file://' introducing a Local File Inclusion LFI bug where arbitrary files can be read by a remote attacker...

Cross site scripting

Error reporting within Rendertron 1.0.0 allows reflected Cross Site Scripting XSS from invalid URLs...

CVE-2017-18352

Error reporting within Rendertron 1.0.0 allows reflected Cross Site Scripting XSS from invalid URLs...

CVE-2017-18354

Rendertron 1.0.0 allows for alternative protocols such as 'file://' introducing a Local File Inclusion LFI bug where arbitrary files can be read by a remote attacker...

CVE-2017-18352

CVE-2017-18352 affects Rendertron 1.0.0, where error reporting enables reflected XSS via invalid URLs. An attacker could lure a user to view a crafted URL to trigger script execution in the victim’s browser. The documents confirm the vulnerability and reference related patches/issues, but do not ...

CVE-2017-18353

Rendertron 1.0.0 exposes an unauthenticated HTTP GET endpoint at _ah/stop that shuts down the Chrome instance handling render requests. Several linked advisories (SUSe CVE entry, GHSA advisory, OSV/OSVDB) and CNVD entries confirm this route allows any unauthorized remote attacker to disable the c...