Lucene search
K

790 matches found

Prion
Prion
added 2021/05/14 7:15 p.m.17 views

Remote code execution

Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in...

6.8CVSS8.7AI score0.59844EPSS
Exploits2References4Affected Software1
CVE
CVE
added 2021/05/14 6:15 p.m.60 views

CVE-2021-32817

CVE-2021-32817 affects express-hbs, an Express handlebars template engine. The vulnerability arises from mixing template data with engine configuration via the render API, where the layout parameter may trigger information disclosure in downstream apps. The attack surface is constrained: only fil...

6.8CVSS6.2AI score0.01268EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2021/05/14 12:0 a.m.23 views

CVE-2021-32819 Remote code execution in squirrelly

Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in...

8CVSS9AI score0.59844EPSS
Exploits2References4
CVE
CVE
added 2021/05/14 12:0 a.m.123 views

CVE-2021-32819

CVE-2021-32819 - Nodejs Squirrelly RCE : The Squirrelly template engine for Node.js is vulnerable when Express’s render API is used to mix template data with engine configuration options, enabling remote code execution in downstream applications. The root cause is overwriting internal configurati...

8.8CVSS8.3AI score0.59844EPSS
Exploits2References4Affected Software1
Check Point Advisories
Check Point Advisories
added 2021/04/18 12:0 a.m.0 views

Ruby Server Side Template Injection

A remote attacker can inject malicious commands into a template engine. Successful exploitation could result in the execution of arbitrary code in the affected web server...

4.4AI score
Exploits0
Tenable Nessus
Tenable Nessus
added 2021/04/06 12:0 a.m.36 views

Debian DLA-2618-3 : smarty3 regression update

The security update of smarty3, the compiling PHP template engine, issued as DLA 2618-1 introduced a regression in the smartysecurity class when secure directories are evaluated. Updated smarty3 packages are now available to correct this issue. For Debian 9 stretch, this problem has been fixed in...

7.5CVSS6.3AI score0.03463EPSS
Exploits1References4
Debian
Debian
added 2021/04/05 6:25 a.m.81 views

[SECURITY] [DLA 2618-1] smarty3 security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-2618-1 [email protected] https://www.debian.org/lts/security/ Abhijith PA April 05, 2021 https://wiki.debian.org/LTS -...

9.8CVSS9.3AI score0.82316EPSS
Exploits3
Positive Technologies
Positive Technologies
added 2021/03/30 12:0 a.m.5 views

PT-2021-6745 · Smarty +2 · Smarty +2

Name of the Vulnerable Software and Affected Versions: Smarty versions prior to 3.1.42 and 4.0.2 Description: The issue is related to the incorrect handling of code generation in the Smarty template engine for PHP. This allows template authors to run arbitrary PHP code by crafting a malicious mat...

9.8CVSS6.9AI score0.82316EPSS
Exploits5References72
Tenable Nessus
Tenable Nessus
added 2021/03/19 12:0 a.m.15 views

Debian DLA-2599-1 : shibboleth-sp2 security update

Toni Huttunen discovered that the Shibboleth service provider's template engine used to render error pages could be abused for phishing attacks. For additional information please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv20210317.txt For Debian 9 stretch,...

5.4AI score
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2021/03/19 12:0 a.m.11 views

Debian DSA-4872-1 : shibboleth-sp - security update

Toni Huttunen discovered that the Shibboleth service provider's template engine used to render error pages could be abused for phishing attacks. For additional information please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv20210317.txt C Tenable Network...

5.5AI score
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2021/03/19 12:0 a.m.32 views

Debian DLA-2597-1 : velocity-tools security update

It was discovered that there was a cross-site scripting XSS vulnerability in velocity-tools, a collection of useful tools for the 'Velocity' template engine. The default error page could be exploited to steal session cookies, perform requests in the name of the victim, used for phishing attacks a...

6.1CVSS6.3AI score0.06357EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2021/03/19 12:0 a.m.32 views

Debian DLA-2595-1 : velocity security update

It was discovered that there was a potential arbitrary code execution vulnerability in velocity, a Java-based template engine for writing web applications. It could be exploited by applications which allowed untrusted users to upload/modify templates. For Debian 9 'Stretch', this problem has been...

9CVSS7.1AI score0.22709EPSS
Exploits0References4
Debian
Debian
added 2021/03/18 7:4 p.m.51 views

[SECURITY] [DSA 4872-1] shibboleth-sp security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4872-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff March 18, 2021 https://www.debian.org/security/faq -...

6.8AI score
Exploits0
OpenVAS
OpenVAS
added 2021/03/18 12:0 a.m.22 views

Debian: Security Advisory (DLA-2595-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

9CVSS9.1AI score0.22709EPSS
Exploits0References3
Debian
Debian
added 2021/03/17 12:25 p.m.58 views

[SECURITY] [DLA 2595-1] velocity security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-2595-1 [email protected] https://www.debian.org/lts/security/ Chris Lamb March 17, 2021 https://wiki.debian.org/LTS -...

9CVSS8.9AI score0.22709EPSS
Exploits0
CNVD
CNVD
added 2021/03/10 12:0 a.m.6 views

Logic flaw vulnerability in oasys

oasys is an OA office automation system , the use of Maven for project management , springboot framework based on the development of the project , mysql underlying database , the front-end freemarker template engine , Bootstrap as the front-end UI framework , integrated jpa, mybatis and other...

6.9AI score
Exploits0
NVD
NVD
added 2021/03/03 2:15 a.m.7 views

CVE-2021-21353

Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was...

9CVSS0.04269EPSS
Exploits1References7
Prion
Prion
added 2021/03/03 2:15 a.m.19 views

Remote code execution

Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was...

6.8CVSS9.2AI score0.04269EPSS
Exploits1References7Affected Software2
CVE
CVE
added 2021/03/03 1:50 a.m.147 views

CVE-2021-21353

CVE-2021-21353 affects the Pug template engine before v3.0.1. If an attacker controls the pretty option via untrusted input (e.g., query params passed into template inputs), remote code execution on the Node.js backend was possible. The issue is fixed in v3.0.1; pug-code-gen has a backport fix in...

9CVSS8.1AI score0.04269EPSS
Exploits1References7Affected Software2
CNVD
CNVD
added 2021/02/23 12:0 a.m.5 views

Smart Template Engine Injection Vulnerability (CNVD-2021-13245)

The Smart template engine is one of the most famous PHP engines in the industry today. It provides an easy-to-manage way to separate business logic from presentation logic. A vulnerability has been reported in the Smart Template Engine, which allows an attacker to write to a cache file via the...

9.8CVSS6.5AI score0.82316EPSS
Exploits1
Rows per page
Query Builder