Описание
XSS Attack with Express API
Impact
XSS attack - anyone using the Express API is impacted
Patches
The problem has been resolved. Users should upgrade to version 2.0.0.
Workarounds
Don't pass user supplied data directly to res.renderFile.
References
Are there any links users can visit to find out more? See https://github.com/eta-dev/eta/releases/tag/v2.0.0
Пакеты
Наименование
eta
npm
Затронутые версииВерсия исправления
< 2.0.0
2.0.0
Связанные уязвимости
CVSS3: 8.6
nvd
около 3 лет назад
Eta is an embedded JS templating engine that works inside Node, Deno, and the browser. XSS attack - anyone using the Express API is impacted. The problem has been resolved. Users should upgrade to version 2.0.0. As a workaround, don't pass user supplied things directly to `res.render`.