790 matches found
python-jinja2 security update
An update is available for python-jinja2. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The python-jinja2 package contains Jinja2, a template engine written in...
ALSA-2021:4161 Moderate: python-jinja2 security update
The python-jinja2 package contains Jinja2, a template engine written in pure Python. Jinja2 provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Security Fixes: python-jinja2: ReDoS vulnerability due to the sub-pattern CVE-2020-28493 For...
Arbitrary Code Execution
neoan3-apps/template is vulnerable to arbitrary code execution RCE attacks. An attacker could execute global or local functions & methods by storing particular values into the database via closures that are known to be eventually rendered by the template engine resulting in arbitrary code executi...
CVE-2021-41170
neoan3-apps/template is a neoan3 minimal template engine. Versions prior to 1.1.1 have allowed for passing in closures directly into the template engine. As a result values that are callable are executed by the template engine. The issue arises if a value has the same name as a method or function...
CVE-2021-41170
neoan3-apps/template is a neoan3 minimal template engine. Versions prior to 1.1.1 have allowed for passing in closures directly into the template engine. As a result values that are callable are executed by the template engine. The issue arises if a value has the same name as a method or function...
CVE-2021-41170 Evaluation of closures can lead to execution of methods & functions in current program scope
neoan3-apps/template is a neoan3 minimal template engine. Versions prior to 1.1.1 have allowed for passing in closures directly into the template engine. As a result values that are callable are executed by the template engine. The issue arises if a value has the same name as a method or function...
CVE-2021-41170
The CVE concerns neoan3-apps/template (Neoan3 minimal template engine). Prior to 1.1.1, closures could be passed into the template and executed if a value shared a name with a method or function in scope, enabling potential arbitrary execution when rendering templates. The issue affects users han...
neoan3-template 安全漏洞
Neoan3-Template is a minimal template engine for Neoan3. A security vulnerability exists in neoan3-template that arises from improper design or implementation during code development for a networked system or product...
IBM Edge Information Disclosure Vulnerability (CNVD-2021-94168)
Edge is a Node.js logic and template engine that contains batteries. IBM Edge has an information disclosure vulnerability that stems from the fact that IBM Edge allows web pages to be stored locally, which can be exploited by an attacker to read those pages...
GHSA-55R9-7MF8-M382 Cross-site Scripting in edge.js
Edge is a logical and batteries included template engine for Node.js. This affects the package edge.js before 5.3.2. A type confusion vulnerability can be used to bypass input sanitization when the input to be rendered is an array instead of a string or a SafeValue, even if are used...
Cross-site Scripting (XSS)
Overview tempura is an A light, crispy, and delicious template engine. Affected versions of this package are vulnerable to Cross-site Scripting XSS. If the input to the esc function is of type object i.e an array it is returned without being escaped/sanitized, leading to a potential Cross-Site...
TryGhost express-hbs information disclosure vulnerability
TryGhost express-hbs is an Express handlebar template engine with multiple layouts, blocks and cache sections. tryGhost express-hbs suffers from an information disclosure vulnerability that stems from the product's Express render API mixing pure template data with engine configuration options,...
GLSA-202105-06 : Smarty: Multiple vulnerabilities
The remote host is affected by the vulnerability described in GLSA-202105-06 Smarty: Multiple vulnerabilities Multiple vulnerabilities have been discovered in Smarty template engine. Please review the CVE identifiers referenced below for details. Impact : Please review the referenced CVE...
Smarty: Multiple vulnerabilities
Background Smarty is a template engine for PHP. Description Multiple vulnerabilities have been discovered in Smarty template engine. Please review the CVE identifiers referenced below for details. Impact Please review the referenced CVE identifiers for details. Workaround There is no known...
Insecure template handling in express-hbs
express-hbs is an Express handlebars template engine. express-hbs mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability...
Insecure template handling in Squirrelly
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in...
GHSA-Q8J6-PWQX-PM96 Insecure template handling in Squirrelly
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in...
CVE-2021-32819
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in...
CVE-2021-32819
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in...
CVE-2021-32817
express-hbs is an Express handlebars template engine. express-hbs mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability...