CVE-2024-21527
CVSS 3.1 Score 8.2 of 10 (high)
Details
Summary
CVE-2024-21527 is a Server-side Request Forgery (SSRF) vulnerability affecting versions of github.com/gotenberg/gotenberg/v8/pkg/gotenberg, github.com/gotenberg/gotenberg/v8/pkg/modules/chromium, and github.com/gotenberg/gotenberg/v8/pkg/modules/webhook before version 8.1.0. An attacker can exploit this vulnerability by making a request to the /convert/html endpoint with a localhost file, such as <iframe src="\\\\localhost/etc/passwd">. This leads to local file inclusion, potentially allowing the attacker to read sensitive files on the host system. A workaround involves using the --chromium-deny-list and --chromium-allow-list flags as alternatives.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.