Description
Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Suggested mitigations are to upgrade your rendertron to version 3.0.
Recommendation
Update the rendertron package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.0.0
- Patched version(s): 3.0.0
References
Related Issues
- Potential XSS vulnerability in jQuery - CVE-2020-11023
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-29mw-wpgm-hmr9) - CVE-2020-28500
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-29mw-wpgm-hmr9) 3 - CVE-2020-28500
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-29mw-wpgm-hmr9) 2 - CVE-2020-28500
- Tags:
- npm
- rendertron
Anything's wrong? Let us know Last updated on February 01, 2023