Description

@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. Input of the `ImageId` in the code is not sanitized and may lead to path traversal. This allows an attacker to store an image in an arbitrary location that the server has permission to access. This issue has been addressed in version 2.1.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

INFO

Published Date :

2024-07-15T19:53:20.491Z

Last Modified :

2024-08-02T04:33:11.660Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-39918 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-39918.

URL Resource
https://github.com/jasonraimondi/url-to-png/blob/e43098e0af3a380ebc044e7f303a83933b94b434/src/middlewares/extract_query_params.ts#L75 cve-icon cve-icon cve-icon
https://github.com/jasonraimondi/url-to-png/commit/e4eaeca6493b21cd515b582fd6c0af09ede54507 cve-icon cve-icon cve-icon
https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-vvmv-wrvp-9gjr cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact