First published: Mon Aug 22 2022(Updated: )
wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Wkhtmltopdf Wkhtmltopdf | =0.12.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-35583 is a vulnerability in wkhtmlTOpdf 0.12.6 that allows an attacker to perform Server-Side Request Forgery (SSRF) and gain initial access to the target's system.
CVE-2022-35583 has a severity rating of 9.8 (Critical).
CVE-2022-35583 affects wkhtmlTOpdf version 0.12.6.
An attacker can exploit CVE-2022-35583 by injecting an iframe tag with an initial asset IP address as its source, allowing them to perform SSRF and gain access to the target's system.
You can find more information about CVE-2022-35583 in the following references: [PacketStormSecurity](http://packetstormsecurity.com/files/171446/wkhtmltopdf-0.12.6-Server-Side-Request-Forgery.html), [Cyber-Guy's Blog](https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently), [Google Drive](https://drive.google.com/file/d/1LAmf_6CJLk5qDp0an2s_gVQ0TN2wmht5/view?usp=sharing).