Search criteria
9 vulnerabilities found for wkhtmltopdf by wkhtmltopdf
FKIE_CVE-2024-13285
Vulnerability from fkie_nvd - Published: 2025-01-09 20:15 - Updated: 2025-09-02 18:27
Severity ?
Summary
Vulnerability in Drupal wkhtmltopdf.This issue affects wkhtmltopdf: *.*.
References
| URL | Tags | ||
|---|---|---|---|
| mlhess@drupal.org | https://www.drupal.org/sa-contrib-2024-049 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wkhtmltopdf | wkhtmltopdf | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wkhtmltopdf:wkhtmltopdf:*:*:*:*:*:drupal:*:*",
"matchCriteriaId": "DF942FDD-D0C4-4288-8150-9CB04CD26628",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in Drupal wkhtmltopdf.This issue affects wkhtmltopdf: *.*."
},
{
"lang": "es",
"value": "Vulnerabilidad en Drupal wkhtmltopdf. Este problema afecta a wkhtmltopdf: *.*."
}
],
"id": "CVE-2024-13285",
"lastModified": "2025-09-02T18:27:12.030",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-01-09T20:15:37.470",
"references": [
{
"source": "mlhess@drupal.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.drupal.org/sa-contrib-2024-049"
}
],
"sourceIdentifier": "mlhess@drupal.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-35583
Vulnerability from fkie_nvd - Published: 2022-08-22 16:15 - Updated: 2025-03-18 18:42
Severity ?
Summary
wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wkhtmltopdf | wkhtmltopdf | 0.12.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wkhtmltopdf:wkhtmltopdf:0.12.6:*:*:*:*:*:*:*",
"matchCriteriaId": "68FDACEB-29B7-4F6A-9645-7F84E5B8653D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target\u0027s system by injecting iframe tag with initial asset IP address on it\u0027s source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets."
},
{
"lang": "es",
"value": "wkhtmlTOpdf versi\u00f3n 0.12.6, es vulnerable a un ataque de tipo SSRF que permite a un atacante conseguir acceso inicial en el sistema del objetivo al inyectar una etiqueta iframe con la direcci\u00f3n IP del activo inicial en su origen. Esto permite al atacante tomar el control de toda la infraestructura accediendo a sus activos internos."
}
],
"id": "CVE-2022-35583",
"lastModified": "2025-03-18T18:42:23.757",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-22T16:15:09.473",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/171446/wkhtmltopdf-0.12.6-Server-Side-Request-Forgery.html"
},
{
"source": "cve@mitre.org",
"tags": [
"URL Repurposed"
],
"url": "https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://drive.google.com/file/d/1LAmf_6CJLk5qDp0an2s_gVQ0TN2wmht5/view?usp=sharing"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://wkhtmltopdf.org/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/171446/wkhtmltopdf-0.12.6-Server-Side-Request-Forgery.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"URL Repurposed"
],
"url": "https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://drive.google.com/file/d/1LAmf_6CJLk5qDp0an2s_gVQ0TN2wmht5/view?usp=sharing"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://wkhtmltopdf.org/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-21365
Vulnerability from fkie_nvd - Published: 2022-08-15 20:15 - Updated: 2024-11-21 05:12
Severity ?
Summary
Directory traversal vulnerability in wkhtmltopdf through 0.12.5 allows remote attackers to read local files and disclose sensitive information via a crafted html file running with the default configurations.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/wkhtmltopdf/wkhtmltopdf/issues/4536 | Exploit, Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2022/10/msg00027.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wkhtmltopdf/wkhtmltopdf/issues/4536 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2022/10/msg00027.html | Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wkhtmltopdf | wkhtmltopdf | * | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wkhtmltopdf:wkhtmltopdf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "188C03DB-7001-45E0-BCF9-C31881353BCC",
"versionEndIncluding": "0.12.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in wkhtmltopdf through 0.12.5 allows remote attackers to read local files and disclose sensitive information via a crafted html file running with the default configurations."
},
{
"lang": "es",
"value": "Una vulnerabilidad de salto de directorio en wkhtmltopdf versiones hasta 0.12.5, permite a atacantes remotos leer archivos locales y divulgar informaci\u00f3n confidencial por medio de un archivo html dise\u00f1ado que es ejecutado con las configuraciones predeterminadas."
}
],
"id": "CVE-2020-21365",
"lastModified": "2024-11-21T05:12:32.877",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-15T20:15:08.107",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/wkhtmltopdf/wkhtmltopdf/issues/4536"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00027.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/wkhtmltopdf/wkhtmltopdf/issues/4536"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00027.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-13285 (GCVE-0-2024-13285)
Vulnerability from cvelistv5 – Published: 2025-01-09 20:11 – Updated: 2025-01-10 16:15
VLAI?
Summary
Vulnerability in Drupal wkhtmltopdf.This issue affects wkhtmltopdf: *.*.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | wkhtmltopdf |
Affected:
*.*
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13285",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T16:14:27.755053Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T16:15:35.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/wkhtmltopdf",
"defaultStatus": "unaffected",
"product": "wkhtmltopdf",
"repo": "https://git.drupalcode.org/project/wkhtmltopdf",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-10-09T16:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Drupal wkhtmltopdf.\u003cp\u003eThis issue affects wkhtmltopdf: *.*.\u003c/p\u003e"
}
],
"value": "Vulnerability in Drupal wkhtmltopdf.This issue affects wkhtmltopdf: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T20:11:25.066Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-049"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13285",
"datePublished": "2025-01-09T20:11:25.066Z",
"dateReserved": "2025-01-09T18:28:21.231Z",
"dateUpdated": "2025-01-10T16:15:35.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35583 (GCVE-0-2022-35583)
Vulnerability from cvelistv5 – Published: 2022-08-22 00:00 – Updated: 2024-08-03 09:36
VLAI?
Summary
wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.415Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wkhtmltopdf.org/"
},
{
"tags": [
"x_transferred"
],
"url": "https://drive.google.com/file/d/1LAmf_6CJLk5qDp0an2s_gVQ0TN2wmht5/view?usp=sharing"
},
{
"tags": [
"x_transferred"
],
"url": "https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/171446/wkhtmltopdf-0.12.6-Server-Side-Request-Forgery.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target\u0027s system by injecting iframe tag with initial asset IP address on it\u0027s source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-24T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://wkhtmltopdf.org/"
},
{
"url": "https://drive.google.com/file/d/1LAmf_6CJLk5qDp0an2s_gVQ0TN2wmht5/view?usp=sharing"
},
{
"url": "https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently"
},
{
"url": "http://packetstormsecurity.com/files/171446/wkhtmltopdf-0.12.6-Server-Side-Request-Forgery.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35583",
"datePublished": "2022-08-22T00:00:00",
"dateReserved": "2022-07-11T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-21365 (GCVE-0-2020-21365)
Vulnerability from cvelistv5 – Published: 2022-08-15 00:00 – Updated: 2024-08-04 14:30
VLAI?
Summary
Directory traversal vulnerability in wkhtmltopdf through 0.12.5 allows remote attackers to read local files and disclose sensitive information via a crafted html file running with the default configurations.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:30:32.014Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/wkhtmltopdf/wkhtmltopdf/issues/4536"
},
{
"name": "[debian-lts-announce] 20221024 [SECURITY] [DLA 3158-1] wkhtmltopdf security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00027.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in wkhtmltopdf through 0.12.5 allows remote attackers to read local files and disclose sensitive information via a crafted html file running with the default configurations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-25T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/wkhtmltopdf/wkhtmltopdf/issues/4536"
},
{
"name": "[debian-lts-announce] 20221024 [SECURITY] [DLA 3158-1] wkhtmltopdf security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00027.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-21365",
"datePublished": "2022-08-15T00:00:00",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:30:32.014Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13285 (GCVE-0-2024-13285)
Vulnerability from nvd – Published: 2025-01-09 20:11 – Updated: 2025-01-10 16:15
VLAI?
Summary
Vulnerability in Drupal wkhtmltopdf.This issue affects wkhtmltopdf: *.*.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | wkhtmltopdf |
Affected:
*.*
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13285",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T16:14:27.755053Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T16:15:35.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/wkhtmltopdf",
"defaultStatus": "unaffected",
"product": "wkhtmltopdf",
"repo": "https://git.drupalcode.org/project/wkhtmltopdf",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-10-09T16:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Drupal wkhtmltopdf.\u003cp\u003eThis issue affects wkhtmltopdf: *.*.\u003c/p\u003e"
}
],
"value": "Vulnerability in Drupal wkhtmltopdf.This issue affects wkhtmltopdf: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T20:11:25.066Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-049"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13285",
"datePublished": "2025-01-09T20:11:25.066Z",
"dateReserved": "2025-01-09T18:28:21.231Z",
"dateUpdated": "2025-01-10T16:15:35.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35583 (GCVE-0-2022-35583)
Vulnerability from nvd – Published: 2022-08-22 00:00 – Updated: 2024-08-03 09:36
VLAI?
Summary
wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.415Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wkhtmltopdf.org/"
},
{
"tags": [
"x_transferred"
],
"url": "https://drive.google.com/file/d/1LAmf_6CJLk5qDp0an2s_gVQ0TN2wmht5/view?usp=sharing"
},
{
"tags": [
"x_transferred"
],
"url": "https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/171446/wkhtmltopdf-0.12.6-Server-Side-Request-Forgery.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target\u0027s system by injecting iframe tag with initial asset IP address on it\u0027s source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-24T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://wkhtmltopdf.org/"
},
{
"url": "https://drive.google.com/file/d/1LAmf_6CJLk5qDp0an2s_gVQ0TN2wmht5/view?usp=sharing"
},
{
"url": "https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently"
},
{
"url": "http://packetstormsecurity.com/files/171446/wkhtmltopdf-0.12.6-Server-Side-Request-Forgery.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35583",
"datePublished": "2022-08-22T00:00:00",
"dateReserved": "2022-07-11T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-21365 (GCVE-0-2020-21365)
Vulnerability from nvd – Published: 2022-08-15 00:00 – Updated: 2024-08-04 14:30
VLAI?
Summary
Directory traversal vulnerability in wkhtmltopdf through 0.12.5 allows remote attackers to read local files and disclose sensitive information via a crafted html file running with the default configurations.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:30:32.014Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/wkhtmltopdf/wkhtmltopdf/issues/4536"
},
{
"name": "[debian-lts-announce] 20221024 [SECURITY] [DLA 3158-1] wkhtmltopdf security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00027.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in wkhtmltopdf through 0.12.5 allows remote attackers to read local files and disclose sensitive information via a crafted html file running with the default configurations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-25T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/wkhtmltopdf/wkhtmltopdf/issues/4536"
},
{
"name": "[debian-lts-announce] 20221024 [SECURITY] [DLA 3158-1] wkhtmltopdf security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00027.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-21365",
"datePublished": "2022-08-15T00:00:00",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:30:32.014Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}