Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Capture screenshot of localhost web services (unauthenticated pages) in @jmondi/url-to-png
Vulnerability Description
@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. The package includes an `ALLOW_LIST` where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed. If someone hosts this project on a server, users could then capture screenshots of other web services running locally. This issue has been addressed in version 2.1.1 with the addition of a blocklist. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
URL to PNG 安全漏洞
Vulnerability Description
URL to PNG是Jason Raimondi个人开发者的一个应用程序。 URL to PNG 2.1.1之前版本存在安全漏洞,该漏洞源于在默认情况下,如果该软件被托管在服务器上则用户可以捕获本地运行的其他Web服务的屏幕截图。
CVSS Information
N/A
Vulnerability Type
N/A