Miggo Logo

CVE-2020-7790: browsershot local file inclusion vulnerability

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.4966%
Published
5/24/2022
Updated
2/1/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
spatie/browsershotcomposer< 3.40.13.40.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from how the Puppeteer instance handled URLs in bin/browser.js. The unpatched code directly passed user-controlled URLs to page.goto(), including file:// protocol URLs. The fix in commit 8d4bcfb introduced a check for file:// URLs and switched to page.setContent() for safer local HTML rendering. The PHP method Browsershot::html() created temporary files with file:// URLs, but the root vulnerability was in the JavaScript navigation logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** sp*ti*/*rows*rs*ot *rom *.*.*. *y sp**i*yin* * URL in t** *il*:// proto*ol *n *tt**k*r is **l* to in*lu** *r*itr*ry *il*s in t** r*sult*nt P**.

Reasoning

T** vuln*r**ility st*mm** *rom *ow t** Pupp*t**r inst*n** **n*l** URLs in `*in/*rows*r.js`. T** unp*t**** *o** *ir**tly p*ss** us*r-*ontroll** URLs to `p***.*oto()`, in*lu*in* `*il*://` proto*ol URLs. T** *ix in *ommit ******* intro*u*** * ****k *or