Vulnerability Details CVE-2022-35583
wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.479
EPSS Ranking 97.6%
CVSS Severity
CVSS v3 Score 9.8
References
- http://packetstormsecurity.com/files/171446/wkhtmltopdf-0.12.6-Server-Side-Request-Forgery.html
- https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently
- https://drive.google.com/file/d/1LAmf_6CJLk5qDp0an2s_gVQ0TN2wmht5/view?usp=sharing
- https://wkhtmltopdf.org/
- http://packetstormsecurity.com/files/171446/wkhtmltopdf-0.12.6-Server-Side-Request-Forgery.html
- https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently
- https://drive.google.com/file/d/1LAmf_6CJLk5qDp0an2s_gVQ0TN2wmht5/view?usp=sharing
- https://wkhtmltopdf.org/
Products affected by CVE-2022-35583
-
cpe:2.3:a:wkhtmltopdf:wkhtmltopdf:0.12.6