GHSA-q765-wm9j-66qj

Опубликовано: 03 сент. 2024

Источник: github

Github: Прошло ревью

CVSS4: 6.9

CVSS3: 7.3

Описание

@blakeembrey/template vulnerable to code injection when attacker controls template input

Impact

It is possible to inject and run code within the template if the attacker has access to write the template name.

const { template } = require('@blakeembrey/template'); template("Hello {{name}}!", "exploit() {} && ((()=>{ console.log('success'); })()) && function pwned");

Patches

Upgrade to 1.2.0.

Workarounds

Don't pass untrusted input as the template display name, or don't use the display name feature.

References

Fixed by removing in https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa.

Ссылки

Пакеты

Наименование

@blakeembrey/template

npm

Затронутые версииВерсия исправления

< 1.2.0

1.2.0

EPSS

Процентиль: 62%

0.00423

Низкий

6.9 Medium

CVSS4

7.3 High

CVSS3

CVE ID

CVE-2024-45390

Дефекты

CWE-94

Связанные уязвимости

CVE-2024-45390

CVSS3: 7.3

nvd

больше 1 года назад

@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature.

EPSS

Процентиль: 62%

0.00423

Низкий

6.9 Medium

CVSS4

7.3 High

CVSS3

CVE ID

CVE-2024-45390

Дефекты

CWE-94