CVE-2024-21547

Summary

Versions of the package spatie/browsershot before 5.0.2 are vulnerable to Directory Traversal due to URI normalisation in the browser where the file:// check can be bypassed with file:\. An attacker could read any file on the server by exploiting the normalization of \ into /.

Affected Software

VendorProductVersion RangeStatus
n/aspatie/browsershot0 < 5.0.2affected

Weaknesses

  • CWE-22: Directory Traversal

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References