Nishant Jain

4 exploits Active since Jul 2024
CVE-2024-39919 WRITEUP LOW WRITEUP
Jmondi Url-to-png < 2.1.2 - Information Disclosure
@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. The package includes an `ALLOW_LIST` where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed. If someone hosts this project on a server, users could then capture screenshots of other web services running locally. This issue has been addressed in version 2.1.1 with the addition of a blocklist. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 3.1
CVE-2024-44729 WRITEUP HIGH WRITEUP
Mirotalk <9de226 - Privilege Escalation
Incorrect access control in the component app/src/server.js of Mirotalk before commit 9de226 allows unauthenticated attackers without presenter privileges to arbitrarily eject users from a meeting.
CVSS 7.5
CVE-2024-44730 WRITEUP CRITICAL WRITEUP
Mirotalk <c21d58 - Info Disclosure
Incorrect access control in the function handleDataChannelChat(dataMessage) of Mirotalk before commit c21d58 allows attackers to forge chat messages using an arbitrary sender name.
CVSS 9.1
CVE-2024-44731 WRITEUP MEDIUM WRITEUP
Mirotalk <9de226 - XSS
Mirotalk before commit 9de226 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary code via sending crafted payloads in messages to other users over RTC connections.
CVSS 4.7