CVE-2023-23630

2023-02-0101:15:08

CWE-79

[email protected]

web.nvd.nist.gov

eta

embedded

templating engine

xss

express api

upgrade

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

0.001 Low

EPSS

Percentile

27.2%

JSON

Eta is an embedded JS templating engine that works inside Node, Deno, and the browser. XSS attack - anyone using the Express API is impacted. The problem has been resolved. Users should upgrade to version 2.0.0. As a workaround, don’t pass user supplied things directly to res.render.

Affected configurations

Vulners

NVD

Node

eta-devetaRange<2.0.0

CPENameOperatorVersion
eta.js:etaeta.js etalt2.0.0

CPE	Name	Operator	Version
eta.js:eta	eta.js eta	lt	2.0.0

CNA Affected

[
  {
    "vendor": "eta-dev",
    "product": "eta",
    "versions": [
      {
        "version": "< 2.0.0",
        "status": "affected"
      }
    ]
  }
]