Lucene search

K
githubGitHub Advisory DatabaseGHSA-3965-HPX2-Q597
HistoryMay 24, 2024 - 2:45 p.m.

Pug allows JavaScript code execution if an application accepts untrusted input

2024-05-2414:45:02
CWE-94
GitHub Advisory Database
github.com
5
pug
javascript
code execution
untrusted input
function security
software vulnerability

7.6 High

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

Affected configurations

Vulners
Node
github_advisory_databasepugRange3.0.2
OR
github_advisory_databasepug-code-genRange2.0.3
CPENameOperatorVersion
pugle3.0.2
pug-code-genle2.0.3

7.6 High

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

Related for GHSA-3965-HPX2-Q597