{"id":"CVE-2024-21544","details":"Versions of the package spatie/browsershot before 5.0.1 are vulnerable to Improper Input Validation due to improper URL validation in the setUrl method.\r\rAn attacker can exploit this vulnerability by using leading whitespace (%20) before the file:// protocol, resulting in Local File Inclusion, which allows the attacker to read sensitive files on the server.","aliases":["GHSA-g2r4-phv7-5fgv"],"modified":"2026-04-10T05:08:56.441125Z","published":"2024-12-13T05:15:07.883Z","references":[{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8496745"},{"type":"WEB","url":"https://github.com/spatie/browsershot/blob/1e212b596c104138550ed4ef1b9977d8df570c67/src/Browsershot.php%23L258-L269"},{"type":"FIX","url":"https://github.com/spatie/browsershot/commit/fae8396641b961f62bd756920b14f01a4391296e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spatie/browsershot","events":[{"introduced":"0"},{"fixed":"fae8396641b961f62bd756920b14f01a4391296e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.0.1"}]}}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","1.0.0","1.1.0","1.2.0","1.2.1","1.2.2","1.2.3","1.2.4","1.4.0","1.5.0","1.5.1","1.5.2","1.5.3","1.6.0","1.7.0","1.8.0","2.0.1","2.0.2","2.0.3","2.1.0","2.2.0","2.4.0","2.4.1","3.0.0","3.1.0","3.10.0","3.11.0","3.11.1","3.12.0","3.13.0","3.14.0","3.14.1","3.15.0","3.16.0","3.16.1","3.17.0","3.18.0","3.19.0","3.2.0","3.2.1","3.20.0","3.20.1","3.22.0","3.22.1","3.23.0","3.23.1","3.24.0","3.25.0","3.25.1","3.26.0","3.26.1","3.26.2","3.26.3","3.27.0","3.29.0","3.3.0","3.3.1","3.30.0","3.31.0","3.31.1","3.32.0","3.32.1","3.32.2","3.33.0","3.33.1","3.34.0","3.35.0","3.36.0","3.37.0","3.37.1","3.37.2","3.38.0","3.39.0","3.4.0","3.40.0","3.40.1","3.40.2","3.40.3","3.41.0","3.41.1","3.41.2","3.42.0","3.44.0","3.44.1","3.45.0","3.46.0","3.47.0","3.48.0","3.49.0","3.5.0","3.50.0","3.50.1","3.50.2","3.51.0","3.52.0","3.52.1","3.52.2","3.52.3","3.52.4","3.52.5","3.52.6","3.53.0","3.54.0","3.55.0","3.56.0","3.57.0","3.57.1","3.57.2","3.57.3","3.57.4","3.57.5","3.57.6","3.57.7","3.57.8","3.58.0","3.58.1","3.58.2","3.59.0","3.6.0","3.60.0","3.60.1","3.60.2","3.61.0","3.7.0","3.8.0","3.8.1","3.9.0","4.0.0","4.0.1","4.0.2","4.0.3","4.0.4","4.0.5","4.1.0","4.1.1","4.1.2","4.1.3","4.2.0","4.2.1","4.3.0","4.3.1","4.4.0","5.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21544.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}