Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg0dzUtcjU0Ni14OXFo

Arbitrary File Read in html-pdf

All versions of html-pdf are vulnerable to Arbitrary File Read. The package fails to sanitize the HTML input, allowing attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server. Input with an XHR request such as request.open("GET","file:///etc/passwd") will result in a PDF document with the contents of /etc/passwd.

Recommendation

No fix is currently available. There is a mitigation available in the provided reference.

Permalink: https://github.com/advisories/GHSA-x4w5-r546-x9qh
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg0dzUtcjU0Ni14OXFo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: over 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-x4w5-r546-x9qh, CVE-2019-15138
References:

Repository: https://github.com/marcbachmann/node-html-pdf
Blast Radius: 26.4

Affected Packages

npm:html-pdf

Dependent packages: 301
Dependent repositories: 3,285
Downloads: 649,166 last month
Affected Version Ranges: < 3.0.1
Fixed in: 3.0.1
All affected versions: 0.0.1, 0.0.2, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.3.0, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.4.0, 1.5.0, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 3.0.0
All unaffected versions: 3.0.1