
We found results for “”
CVE-2024-39919
Good to know:


Date: July 15, 2024
@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. The package includes an "ALLOW_LIST" where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed. If someone hosts this project on a server, users could then capture screenshots of other web services running locally. This issue has been addressed in version 2.1.1 with the addition of a blocklist. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Language: TYPE_SCRIPT
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
CWE-200Top Fix

CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | HIGH |
Privileges Required (PR): | LOW |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | LOW |
Integrity (I): | NONE |
Availability (A): | NONE |