CVE-2017-18355

CVE-2017-18355 affects Rendertron 1.0.0. The issue allows remote attackers to disclose server file paths by inspecting the '_where' attribute of package.json files in node_modules, effectively enabling absolute path disclosure. The description and connected sources consistently describe this expo...

CVE-2017-18352

CVE-2017-18352 affects Rendertron 1.0.0, where error reporting enables reflected XSS via invalid URLs. An attacker could lure a user to view a crafted URL to trigger script execution in the victim’s browser. The documents confirm the vulnerability and reference related patches/issues, but do not ...

CVE-2020-8902

Summary (CVE-2020-8902): Rendertron versions prior to 3.0.0 are vulnerable to an SSRF flaw. An attacker can craft a webpage that causes a headless Chrome process used by Rendertron to render internal sites accessible to the system, potentially exposing internal resources as screenshots. Affected ...

CVE-2017-18354

Rendertron 1.0.0 is affected by a Local File Inclusion (LFI) vulnerability triggered by using alternative protocols such as file://, enabling remote attackers to read arbitrary local files. Technical details on affected components, exploit vectors, and fixes are not provided in the connected docu...

CVE-2017-18353

Rendertron 1.0.0 exposes an unauthenticated HTTP GET endpoint at _ah/stop that shuts down the Chrome instance handling render requests. Several linked advisories (SUSe CVE entry, GHSA advisory, OSV/OSVDB) and CNVD entries confirm this route allows any unauthorized remote attacker to disable the c...