CVE-2021-32818 – haml-coffee

Package

Manager: npm
Name: haml-coffee
Vulnerable Version: >=0 <=1.14.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

EPSS: 0.00281 pctl0.51116

Details

Insecure template handling in haml-coffee haml-coffee is a JavaScript templating solution. haml-coffee mixes pure template data with engine configuration options through the Express render API. More specifically, haml-coffee supports overriding a series of HTML helper functions through its configuration options. A vulnerable application that passes user controlled request objects to the haml-coffee template engine may introduce RCE vulnerabilities. Additionally control over the escapeHtml parameter through template configuration pollution ensures that haml-coffee would not sanitize template inputs that may result in reflected Cross Site Scripting attacks against downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of haml-coffee is currently 1.14.1. For complete details refer to the referenced GHSL-2021-025.

Metadata

Created: 2021-05-17T20:58:21Z
Modified: 2021-05-17T19:07:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-m7mf-vm62-7x3q/GHSA-m7mf-vm62-7x3q.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-m7mf-vm62-7x3q
Finding: F008
Auto approve: 1