CVE-2023-23630 – eta

Package

Manager: npm
Name: eta
Vulnerable Version: >=0 <2.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0014 pctl0.34815

Details

XSS Attack with Express API ### Impact XSS attack - anyone using the Express API is impacted ### Patches The problem has been resolved. Users should upgrade to version 2.0.0. ### Workarounds Don't pass user supplied data directly to `res.renderFile`. ### References _Are there any links users can visit to find out more?_ See https://github.com/eta-dev/eta/releases/tag/v2.0.0

Metadata

Created: 2023-01-31T22:39:40Z
Modified: 2023-02-08T22:37:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-xrh7-m5pp-39r6/GHSA-xrh7-m5pp-39r6.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-xrh7-m5pp-39r6
Finding: F425
Auto approve: 1