Arbitrary File Read

Affecting html-pdf package, versions <3.0.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

html-pdf is a Html to pdf converter in nodejs.

Affected versions of this package are vulnerable to Arbitrary File Read. The package fails to sanitize the HTML input, allowing attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server. Input with an XHR request such as request.open("GET","file:///etc/passwd") will result in a PDF document with the contents of /etc/passwd.

Remediation

Upgrade html-pdf to version 3.0.0 or higher.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Credit
Rajanish Pathak, Security Researcher at xen1thlabs
CVE
CVE-2019-15138
CWE
CWE-552
Snyk ID
SNYK-JS-HTMLPDF-467248
Disclosed
30 Jul, 2019
Published
19 Sep, 2019