Description
Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Suggested mitigations are to upgrade your rendertron to version 3.0.
Recommendation
Update the rendertron package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.0.0
- Patched version(s): 3.0.0
References
Related Issues
- XSS in apexcharts - CVE-2021-23327
- rendertron XSS vulnerability - CVE-2017-18352
- rendertron LFI vulnerability - CVE-2017-18354
- rendertron can remotely shut down Chrome instance - CVE-2017-18353
- Tags:
- npm
- rendertron
Anything's wrong? Let us know Last updated on February 01, 2023