Vulnerability DatabaseCVE-2024-39919
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-39919
July 15, 2024
@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. The package includes an `ALLOW_LIST` where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed. If someone hosts this project on a server, users could then capture screenshots of other web services running locally. This issue has been addressed in version 2.1.1 with the addition of a blocklist. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Related ResourcesĀ (4)
https://github.com/jasonraimondi/url-to-png/commit/f62ff40403ffa1781459d6be8d97b8035888c00c
https://nvd.nist.gov/vuln/detail/CVE-2024-39919
https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-342q-2mc2-5gmp
https://github.com/jasonraimondi/url-to-png
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
CWE-200
EPSS
Base Score:
0.07