CVE-2019-15138
Arbitrary File Read in html-pdf
7.5
HIGH
CVSS 3.1
EPSS 0.32%
描述
All versions of `html-pdf` are vulnerable to Arbitrary File Read. The package fails to sanitize the HTML input, allowing attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server. Input with an XHR request such as `request.open("GET","file:///etc/passwd")` will result in a PDF document with the contents of `/etc/passwd`. ## Recommendation No fix is currently available. There is a mitigation available in the provided reference.
如何修補 CVE-2019-15138
要修補 CVE-2019-15138,請將受影響套件升級到下列已修補版本。
- —升級至 3.0.1 或更新版本
CVE-2019-15138 正在被利用嗎?
低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 3.0.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |