54 matches found
CVE-2017-18352
Error reporting within Rendertron 1.0.0 allows reflected Cross Site Scripting XSS from invalid URLs...
Code injection
Installed packages are exposed by nodemodules in Rendertron 1.0.0, allowing remote attackers to read absolute paths on the server by examining the "where" attribute of package.json files...
CVE-2017-18353
Rendertron 1.0.0 includes an ah/stop route to shutdown the Chrome instance responsible for serving render requests to all users. Visiting this route with a GET request allows any unauthorized remote attacker to disable the core service of the application...
CVE-2017-18355
Installed packages are exposed by nodemodules in Rendertron 1.0.0, allowing remote attackers to read absolute paths on the server by examining the "where" attribute of package.json files...
CVE-2017-18354
Rendertron 1.0.0 is affected by a Local File Inclusion (LFI) vulnerability triggered by using alternative protocols such as file://, enabling remote attackers to read arbitrary local files. Technical details on affected components, exploit vectors, and fixes are not provided in the connected docu...
CVE-2017-18353
Rendertron 1.0.0 includes an ah/stop route to shutdown the Chrome instance responsible for serving render requests to all users. Visiting this route with a GET request allows any unauthorized remote attacker to disable the core service of the application...
CVE-2017-18353
Rendertron 1.0.0 exposes an unauthenticated HTTP GET endpoint at _ah/stop that shuts down the Chrome instance handling render requests. Several linked advisories (SUSe CVE entry, GHSA advisory, OSV/OSVDB) and CNVD entries confirm this route allows any unauthorized remote attacker to disable the c...
CVE-2017-18355
CVE-2017-18355 affects Rendertron 1.0.0. The issue allows remote attackers to disclose server file paths by inspecting the '_where' attribute of package.json files in node_modules, effectively enabling absolute path disclosure. The description and connected sources consistently describe this expo...
CVE-2017-18352
CVE-2017-18352 affects Rendertron 1.0.0, where error reporting enables reflected XSS via invalid URLs. An attacker could lure a user to view a crafted URL to trigger script execution in the victim’s browser. The documents confirm the vulnerability and reference related patches/issues, but do not ...
CVE-2017-18352
Error reporting within Rendertron 1.0.0 allows reflected Cross Site Scripting XSS from invalid URLs...
CVE-2017-18354
Rendertron 1.0.0 allows for alternative protocols such as 'file://' introducing a Local File Inclusion LFI bug where arbitrary files can be read by a remote attacker...
Rendertron Local File Inclusion Vulnerability
Rendertron is Google's open source Chrome rendering solution designed to instantly render web pages. Rendertron 1.0.0 suffers from a local file inclusion vulnerability that can be exploited by remote attackers to read arbitrary files via an alternate protocol...
Rendertron Cross-Site Scripting Vulnerability
Rendertron is Google's open source Chrome rendering solution designed to instantly render web pages. A bug in Rendertron 1.0.0 reports a reflected cross-site scripting vulnerability that can be exploited by an attacker via an invalid URL to conduct a cross-site scripting attack...
Rendertron Absolute Path Disclosure Vulnerability
Rendertron is Google's open source Chrome rendering solution designed to instantly render web pages. Rendertron 1.0.0 suffers from an absolute path disclosure vulnerability, which stems from nodemodules in Rendertron exposing installed packages, which can be exploited by a remote attacker to read...