790 matches found
Remote code execution
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in...
CVE-2021-32817
CVE-2021-32817 affects express-hbs, an Express handlebars template engine. The vulnerability arises from mixing template data with engine configuration via the render API, where the layout parameter may trigger information disclosure in downstream apps. The attack surface is constrained: only fil...
CVE-2021-32819 Remote code execution in squirrelly
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in...
CVE-2021-32819
CVE-2021-32819 - Nodejs Squirrelly RCE : The Squirrelly template engine for Node.js is vulnerable when Express’s render API is used to mix template data with engine configuration options, enabling remote code execution in downstream applications. The root cause is overwriting internal configurati...
Ruby Server Side Template Injection
A remote attacker can inject malicious commands into a template engine. Successful exploitation could result in the execution of arbitrary code in the affected web server...
Debian DLA-2618-3 : smarty3 regression update
The security update of smarty3, the compiling PHP template engine, issued as DLA 2618-1 introduced a regression in the smartysecurity class when secure directories are evaluated. Updated smarty3 packages are now available to correct this issue. For Debian 9 stretch, this problem has been fixed in...
[SECURITY] [DLA 2618-1] smarty3 security update
------------------------------------------------------------------------- Debian LTS Advisory DLA-2618-1 [email protected] https://www.debian.org/lts/security/ Abhijith PA April 05, 2021 https://wiki.debian.org/LTS -...
PT-2021-6745 · Smarty +2 · Smarty +2
Name of the Vulnerable Software and Affected Versions: Smarty versions prior to 3.1.42 and 4.0.2 Description: The issue is related to the incorrect handling of code generation in the Smarty template engine for PHP. This allows template authors to run arbitrary PHP code by crafting a malicious mat...
Debian DLA-2599-1 : shibboleth-sp2 security update
Toni Huttunen discovered that the Shibboleth service provider's template engine used to render error pages could be abused for phishing attacks. For additional information please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv20210317.txt For Debian 9 stretch,...
Debian DSA-4872-1 : shibboleth-sp - security update
Toni Huttunen discovered that the Shibboleth service provider's template engine used to render error pages could be abused for phishing attacks. For additional information please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv20210317.txt C Tenable Network...
Debian DLA-2597-1 : velocity-tools security update
It was discovered that there was a cross-site scripting XSS vulnerability in velocity-tools, a collection of useful tools for the 'Velocity' template engine. The default error page could be exploited to steal session cookies, perform requests in the name of the victim, used for phishing attacks a...
Debian DLA-2595-1 : velocity security update
It was discovered that there was a potential arbitrary code execution vulnerability in velocity, a Java-based template engine for writing web applications. It could be exploited by applications which allowed untrusted users to upload/modify templates. For Debian 9 'Stretch', this problem has been...
[SECURITY] [DSA 4872-1] shibboleth-sp security update
------------------------------------------------------------------------- Debian Security Advisory DSA-4872-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff March 18, 2021 https://www.debian.org/security/faq -...
Debian: Security Advisory (DLA-2595-1)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
[SECURITY] [DLA 2595-1] velocity security update
------------------------------------------------------------------------- Debian LTS Advisory DLA-2595-1 [email protected] https://www.debian.org/lts/security/ Chris Lamb March 17, 2021 https://wiki.debian.org/LTS -...
Logic flaw vulnerability in oasys
oasys is an OA office automation system , the use of Maven for project management , springboot framework based on the development of the project , mysql underlying database , the front-end freemarker template engine , Bootstrap as the front-end UI framework , integrated jpa, mybatis and other...
CVE-2021-21353
Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was...
Remote code execution
Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was...
CVE-2021-21353
CVE-2021-21353 affects the Pug template engine before v3.0.1. If an attacker controls the pretty option via untrusted input (e.g., query params passed into template inputs), remote code execution on the Node.js backend was possible. The issue is fixed in v3.0.1; pug-code-gen has a backport fix in...
Smart Template Engine Injection Vulnerability (CNVD-2021-13245)
The Smart template engine is one of the most famous PHP engines in the industry today. It provides an easy-to-manage way to separate business logic from presentation logic. A vulnerability has been reported in the Smart Template Engine, which allows an attacker to write to a cache file via the...