Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL's that use the file:// protocol.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| spatie/browsershot(Packagist) | 0 | 3.57.3 | N/A |
CVSS Metrics
