Miggo Logo
Miggo Vulnerability Database
CVE-2024-21549

CVE-2024-21549: Browsershot Improper Input Validation vulnerability

8.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-21549
GHSA ID
GHSA-c9f5-29f6-c35w
EPSS Score
0.11732%
CWE
CWE-20
Published
12/20/2024
Updated
2/4/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
spatie/browsershotcomposer< 5.0.35.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient URL validation in the setUrl method. The original implementation blocked 'file://' variants but didn't account for 'view-source:' prefix, which could wrap file:// URIs. The patch added 'view-source' to the $unsupportedProtocols array, confirming this was the attack vector. The method's validation logic directly controlled URL sanitization, making it the vulnerable entry point. Tests added in BrowsershotTest.php validate() this fix by testing 'view-source' cases.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** sp*ti*/*rows*rs*ot ***or* *.*.* *r* vuln*r**l* to Improp*r Input V*li**tion *u* to improp*r URL v*li**tion t*rou** t** s*tUrl m*t*o*. *n *tt**k*r **n *xploit t*is vuln*r**ility *y utilizin* vi*w-sour**:*il*://, w*i** *llows *o

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt URL `v*li**tion` in t** `s*tUrl` m*t*o*. T** ori*in*l impl*m*nt*tion *lo*k** '*il*://' v*ri*nts *ut *i*n't ***ount *or 'vi*w-sour**:' pr**ix, w*i** *oul* wr*p `*il*://` URIs. T** p*t** ***** 'vi*w-sour**' to