CVE-2022-43984: 
PHP vulnerability analysis and mitigation

Browsershot version 3.57.3 contains a vulnerability that allows remote attackers to obtain arbitrary local files. The vulnerability was discovered on October 25, 2022, and was assigned CVE-2022-43984. The issue affects the Browsershot::html method, which fails to validate JavaScript content imported from external sources, specifically allowing URLs that use the file:// protocol (Fluid Advisory).

The vulnerability is classified as a Server-Side Cross-Site Scripting (XSS) issue that leads to Local File Read (LFR). It has been assigned a CVSS v3.1 base score of 8.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The technical root cause lies in the application's failure to properly validate JavaScript content from external sources that is passed to the Browsershot::html method, specifically allowing the use of the file:// protocol (Fluid Advisory, NVD).

The vulnerability allows remote attackers to access and read arbitrary local files on the affected system. This can lead to unauthorized access to sensitive information and potential exposure of confidential data (Fluid Advisory).

An updated version of Browsershot is available from the vendor that addresses this vulnerability. Users are strongly recommended to upgrade to the latest version to mitigate the risk (Fluid Advisory, GitHub Browsershot).