Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-39919
Summary
The package @jmondi/url-to-png is an open-source URL to PNG utility featuring parallel rendering using Playwright for screenshots and storage caching via Local, S3, or CouchDB. The package includes an 'ALLOW_LIST' where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or [::] is allowed. If someone hosts this project on a server, users could then capture screenshots of other web services running locally. This issue affects versions prior to 2.1.1 with the addition of a blocklist. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- HIGH
- NETWORK
- NONE
- UNCHANGED
- NONE
- LOW
- LOW
- NONE
CWE-200 - Information Exposure
An information exposure vulnerability is categorized as an information flow (IF) weakness, which can potentially allow unauthorized access to otherwise classified information in the application, such as confidential personal information (demographics, financials, health records, etc.), business secrets, and the application's internal environment.
References
Advisory Timeline
- Published
