Astra Linux - уязвимость в node-ejs

The ejs also known as Embedded JavaScript templates package in Node.js before version 3.1.10 lacked certain measures to prevent pollution...

EUVD-2017-0340

Malware in sbrugna...

EUVD-2017-0347

Malware in sbrugna...

CVE-2023-29827

ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with...

Fastify: Remote Code Execution via unsafe usage of `reply.view({ raw })` in @fastify/view (EJS template engine)

The @fastify/view plugin, when used with the EJS engine and the reply.view raw: pattern, allowed arbitrary EJS execution. This vulnerability arose from the fact that Fastify trusted the raw template string without sanitization or restrictions when passed directly to EJS's compile method, leading ...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to ejs lack of pollution protection vulnerability [ CVE-2024-33883]

Summary Potential ejs aka Embedded JavaScript templates package lack of pollution protection vulnerability CVE-2024-33883 have been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information...

02url-querystring-http (>=1.0.1 <=1.0.4), 0xgank-tea-advice-pull (=1.0.0) +32367 more potentially affected by CVE-2024-33883 via ejs (>=0.0.1 <=3.0.2)

ejs NPM version =0.0.1, =1.0.1, =1.0.4 - 0xgank-tea-advice-pull =1.0.0 - 0xgank-tea-balance-pencil =1.0.0 - 0xgank-tea-brick-bell =1.0.0 - 0xgank-tea-cake-victory =1.0.0 - 0xgank-tea-central-compound =1.0.0 - 0xgank-tea-characteristic =1.0.0 - 0xgank-tea-child-evening =1.0.0 -...

CVE-2023-29827

ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with...

CVE-2023-29827

ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with...

GHSA-PHWQ-J96M-2C2Q ejs template injection vulnerability

The ejs aka Embedded JavaScript templates package 3.1.6 for Node.js allows server-side template injection in settingsview optionsoutputFunctionName. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command which is executed upon template...

CVE-2022-29078

The ejs aka Embedded JavaScript templates package 3.1.6 for Node.js allows server-side template injection in settingsview optionsoutputFunctionName. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command which is executed upon template...

PT-2022-3563

Name of the Vulnerable Software and Affected Versions ejs versions 3.1.6 Description The issue is related to the ejs package for Node.js, which allows server-side template injection in settingsview optionsoutputFunctionName. This can be parsed as an internal option and overwrites the...

ejs vulnerable to DoS due to weak input validation

nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in ejs.renderFile...

192.168.0.172 (=4.6.1), 2d-json-schema-editor-visual (>=1.0.2 <=1.0.7) +2089 more potentially affected by CVE-2017-1000189 via ejs (>=0.0.1 <=2.5.4)

ejs NPM version =0.0.1, =1.0.2, =0.0.1, =2.0.0-rc5, =0.1.0, =2.1.2, =0.1.0, =0.25.0, =0.4.5, =0.12.0-edge9, =2.1.5, =2.6.0 - @colmena/api =0.1.0 and more Source cves: CVE-2017-1000189 Source advisory: OSV:GHSA-6X77-RPQF-J6MW...

192.168.0.172 (=4.6.1), 2d-json-schema-editor-visual (>=1.0.2 <=1.0.7) +2089 more potentially affected by CVE-2017-1000188 via ejs (>=0.0.1 <=2.5.4)

ejs NPM version =0.0.1, =1.0.2, =0.0.1, =2.0.0-rc5, =0.1.0, =2.1.2, =0.1.0, =0.25.0, =0.4.5, =0.12.0-edge9, =2.1.5, =2.6.0 - @colmena/api =0.1.0 and more Source cves: CVE-2017-1000188 Source advisory: OSV:GHSA-HWCF-PP87-7X6P...

DEBIAN-CVE-2017-1000189

nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile...

CVE-2017-1000189

nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile...

CVE-2017-1000189

nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile...

UBUNTU-CVE-2017-1000189

nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile...

Cross-site Scripting (XSS)

Overview ejs is a popular JavaScript templating engine. Affected versions of the package are vulnerable to Cross-site Scripting by letting the attacker under certain conditions control and override the filename option causing it to render the value as is, without escaping it. You can read more...