SYM_JSTS_0138 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Server-Side Request Forgery (SSRF)
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-918: Server-Side Request Forgery (SSRF) |
| OWASP | A10:2021 - Server-Side Request Forgery (SSRF) |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Passing untrusted user input directly into Puppeteer's evaluate methods can allow attackers to execute arbitrary code in the browser context. This means user data should never be used as code or function arguments in these APIs.
Impact
If exploited, attackers could execute unauthorized scripts, potentially leading to server-side request forgery (SSRF), data theft, or manipulation of browser actions. This could compromise sensitive information, interact with internal resources, or enable further attacks against your infrastructure.