Описание
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API.
Note: This is exploitable only for users who are rendering templates with user-defined data.
Ссылки
- Broken Link
- Broken Link
- PatchThird Party Advisory
- Third Party Advisory
- Broken Link
- Broken Link
- PatchThird Party Advisory
- Third Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.0.0 (исключая)
cpe:2.3:a:eta.js:eta:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 87%
0.03526
Низкий
8.1 High
CVSS3
8.8 High
CVSS3
Дефекты
CWE-94
NVD-CWE-noinfo
CWE-94
Связанные уязвимости
CVSS3: 8.8
redhat
около 3 лет назад
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates with user-defined data.
CVSS3: 8.8
github
около 3 лет назад
Eta vulnerable to Code Injection via templates rendered with user-defined data
EPSS
Процентиль: 87%
0.03526
Низкий
8.1 High
CVSS3
8.8 High
CVSS3
Дефекты
CWE-94
NVD-CWE-noinfo
CWE-94