8.2
CVE-2025-1022
- EPSS 0.42%
- Veröffentlicht 05.02.2025 05:15:10
- Zuletzt bearbeitet 29.04.2026 01:00:01
- Quelle report@snyk.io
- CVE-Watchlists
- Unerledigt
Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html(), which can be bypassed by omitting the slashes in the file URI (e.g., file:../../../../etc/passwd). This is due to missing validations of the user input that should be blocking file URI schemes (e.g., file:// and file:/) in the HTML content.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellern/a
≫
Produkt
spatie/browsershot
Version
0
Version <
5.0.5
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.42% | 0.333 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| report@snyk.io | 7.8 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| report@snyk.io | 8.2 | 3.9 | 4.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
https://gist.github.com/mrdgef/a820837c530e09e1dd725e013e0d4341
https://github.com/spatie/browsershot/commit/bcfd608b264fab654bf78e199bdfbb03e9323eb7
https://github.com/spatie/browsershot/commit/e3273974506865a24fbb5b65b534d8d4b8dfbf72
https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8496747