Browsershot Server-Side Request Forgery (SSRF) via setURL() Function

Versions of the package spatie/browsershot from 0.0.0 to 5.0.3 are vulnerable to Server-side Request Forgery SSRF in the setUrl function due to a missing restriction on user input, enabling attackers to access localhost and list all of its directories...

Server-side Request Forgery (SSRF)

Overview spatie/browsershot is a library for converting a webpage to an image or pdf using headless Chrome. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the setUrl function due to a missing restriction on user input, enabling attackers to access localhos...

The vulnerability of the phpCAS::setUrl() function in the phpCAS authentication library allows a attacker to gain access to the user’s account.

The vulnerability of the phpCAS::setUrl function in the phpCAS authentication library relates to the use of HTTP headers to determine the URL address of the service used for ticket verification. This allows control over the host header and enables the use of a valid ticket for authentication in a...

Cross-site Scripting (XSS)

spatie/browsershot is vulnerable to cross site scripting. The vulnerable exists in the setUrl function in Browsershot.php which allows an external attacker to remotely obtain arbitrary local files, because the application does not validate the passed URL protocol...