View all vulnerabilities

CVE-2022-29078

ejs template injection vulnerability

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
9.8
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Versions
ejs < 3.1.7
Severity
Ecosystem
JavaScript
Publish Date
April 25, 2022
Modified Date
November 7, 2023