Eta vulnerable to Code Injection via templates rendered with user-defined data

Severity:: High

Description

Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. Note: This is exploitable only for users who are rendering templates with user-defined data.

Recommendation

Update the eta package to the latest compatible version. Followings are version details:

Affected version(s): < 2.0.0
Patched version(s): 2.0.0

References

GHSA-mf6x-hrgr-658f
security.snyk.io
CVE-2022-25967
CWE-94
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Parse Server vulnerable to brute force guessing of user sensitive data via search patterns - CVE-2022-36079
Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers - CVE-2022-41878
Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks - CVE-2022-41879
Matrix-appservice-irc vulnerable to sql injection via roomIds argument - CVE-2022-3971

How do hackers hack websites?

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; eta

Anything's wrong? Let us know Last updated on February 07, 2023