npm package
ejs
pkg:npm/ejs
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-33883 | Med | 4.0 | < 3.1.10 | 3.1.10 | Apr 28, 2024 | The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection. | |
| CVE-2022-29078 | — | < 3.1.7 | 3.1.7 | Apr 25, 2022 | The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is exe | ||
| CVE-2017-1000228 | Cri | 9.8 | < 2.5.5 | 2.5.5 | Nov 17, 2017 | nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function | |
| CVE-2017-1000189 | Hig | 7.5 | < 2.5.5 | 2.5.5 | Nov 17, 2017 | nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile() | |
| CVE-2017-1000188 | Med | 6.1 | < 2.5.5 | 2.5.5 | Nov 17, 2017 | nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection |
- affected < 3.1.10fixed 3.1.10
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
- CVE-2022-29078Apr 25, 2022affected < 3.1.7fixed 3.1.7
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is exe
- affected < 2.5.5fixed 2.5.5
nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function
- affected < 2.5.5fixed 2.5.5
nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile()
- affected < 2.5.5fixed 2.5.5
nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection