Open arthabus opened 3 years ago
Hi, This package is vulnerable to Arbitrary File Read attack when scanned by Veracode. This vulnerability is found in version 2.2.0(latest) Description - html-pdf is vulnerable to arbitrary file read. An attacker is able to view local files by sending an XMLHttpRequest to fetch the contents and writing it into the HTML document during conversion of a file from HTML to PDF. This is due to using an emulated scriptable headless browser known as PhantomJS to save the render into PDF format, causing the Javascript code in the file to be executed. Hopefully, this will be solved very soon.
Duplicate of #530
Hi, not sure if the below info is enough, but running npm audit throws the below vulnerability:
"html-pdf": "^2.2.0"
Hopefully someone could look into it.