Lucene search

GitHub_MCVELIST:CVE-2023-23630

HistoryFeb 01, 2023 - 12:38 a.m.

CVE-2023-23630 Cross-site (XSS) vulnerability with Express API in Eta

2023-02-0100:38:29

CWE-79

GitHub_M

www.cve.org

cve-2023-23630

cross-site scripting

express api

eta

node

deno

xss attack

upgrade 2.0.0

res.render workaround

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

8.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.3%

JSON

Eta is an embedded JS templating engine that works inside Node, Deno, and the browser. XSS attack - anyone using the Express API is impacted. The problem has been resolved. Users should upgrade to version 2.0.0. As a workaround, don’t pass user supplied things directly to res.render.

CNA Affected

[
  {
    "vendor": "eta-dev",
    "product": "eta",
    "versions": [
      {
        "version": "< 2.0.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138dd

github.com/eta-dev/eta/releases/tag/v2.0.0

github.com/eta-dev/eta/security/advisories/GHSA-xrh7-m5pp-39r6

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

8.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.3%

JSON

Related for CVELIST:CVE-2023-23630