CVE-2024-21549
HIGHSpatie Browsershot < 5.0.3 - Improper Input Validation
Title source: ruleDescription
Versions of the package spatie/browsershot before 5.0.3 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method. An attacker can exploit this vulnerability by utilizing view-source:file://, which allows for arbitrary file reading on a local file. **Note:** This is a bypass of the fix for [CVE-2024-21544](https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8496745).
References (3)
Core 3
Core References
Various Sources
https://github.com/spatie/browsershot/discussions/906
Third Party Advisory
https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533023
Scores
CVSS v3
8.6
EPSS
0.0005
EPSS Percentile
15.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (2)
n/a/spatie/browsershot
< 5.0.3
spatie/browsershot
0 - 5.0.3Packagist
Published
Dec 20, 2024
Tracked Since
Feb 18, 2026