Описание
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Ссылки
- ExploitPatchThird Party Advisory
- Release NotesThird Party Advisory
- Third Party Advisory
- ExploitPatchThird Party Advisory
- Release NotesThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
EPSS
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
Связанные уязвимости
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js ...
Уязвимость функции outputFunctionName каркаса веб-приложений ejs для Node. js, позволяющая нарушителю выполнить произвольные команды
EPSS
9.8 Critical
CVSS3
7.5 High
CVSS2