CVE-2017-1000228 – ejs

Package

Manager: npm
Name: ejs
Vulnerable Version: >=0 <2.5.5

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0718 pctl0.91212

Details

ejs is vulnerable to remote code execution due to weak input validation nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in `ejs.renderFile()` function

Metadata

Created: 2017-11-30T23:15:19Z
Modified: 2023-09-08T20:54:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/11/GHSA-3w5v-p54c-f74x/GHSA-3w5v-p54c-f74x.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-3w5v-p54c-f74x
Finding: F184
Auto approve: 1