Description
Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Suggested mitigations are to upgrade your rendertron to version 3.0.
Recommendation
Update the rendertron package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.0.0
- Patched version(s): 3.0.0
References
Related Issues
- Command Injection in systeminformation - CVE-2020-26300
- Denial of service in three - CVE-2020-28496
- crypto-js uses insecure random numbers - CVE-2020-36732
- regular expression denial of service (ReDoS) - date-and-time - CVE-2020-26289
You might also like:
- Tags:
- npm
- rendertron
Anything's wrong? Let us know Last updated on February 01, 2023


