Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Gotenberg
(Thecodingmachine)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 7 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-08-26 | CVE-2020-14161 | It is possible to inject HTML and/or JavaScript in the HTML to PDF conversion in Gotenberg through 6.2.1 via the /convert/html endpoint. | Gotenberg | 6.1 | ||
| 2021-08-26 | CVE-2020-14160 | An SSRF vulnerability in Gotenberg through 6.2.1 exists in the remote URL to PDF conversion, which results in a remote attacker being able to read local files or fetch intranet resources. | Gotenberg | 7.5 | ||
| 2021-02-26 | CVE-2021-23345 | All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>. | Gotenberg | 5.3 | ||
| 2021-01-07 | CVE-2020-13452 | In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file, which can lead to denial of service or code execution. | Gotenberg | 9.8 | ||
| 2021-01-07 | CVE-2020-13451 | An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attacker to overwrite LibreOffice configuration files and execute arbitrary code via macros. | Gotenberg | 9.8 | ||
| 2021-01-07 | CVE-2020-13450 | A directory traversal vulnerability in file upload function of Gotenberg through 6.2.1 allows an attacker to upload and overwrite any writable files outside the intended folder. This can lead to DoS, a change to program behavior, or code execution. | Gotenberg | 9.8 | ||
| 2021-01-07 | CVE-2020-13449 | A directory traversal vulnerability in the Markdown engine of Gotenberg through 6.2.1 allows an attacker to read any container files. | Gotenberg | 7.5 |