Arbitrary File Read Affecting jsreport-chrome-pdf package, versions <1.10.0


0.0
medium
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    Low

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JS-JSREPORTCHROMEPDF-1037310

  • published

    5 Nov 2020

  • disclosed

    5 Nov 2020

  • credit

    Anand Namana

How to fix?

Upgrade jsreport-chrome-pdf to version 1.10.0 or higher.

Overview

jsreport-chrome-pdf is a

Affected versions of this package are vulnerable to Arbitrary File Read. An Arbitrary File Read vulnerability exists in lib/conversion.js.

PoC

<script>document.write(window.location='../../../../../etc/passwd')</script>

References