mde/ejs

mde/ejs

Releases51

Frequency2 months 3 weeks

Last Release 9 days ago

Stars8.11K

Embedded JavaScript templates -- http://ejs.co

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2024-33883 ↗	Apr 28, 2024Sunday, 28 April 2024, 16:15	4 MEDIUM	—
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
CVE-2023-29827 ↗	May 4, 2023Thursday, 4 May 2023, 14:15	9.8 CRITICAL	—
ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input.
CVE-2022-29078 ↗	Apr 25, 2022Monday, 25 April 2022, 15:15	9.8 CRITICAL	7.5 HIGH
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
CVE-2017-1000188 ↗	Nov 17, 2017Friday, 17 November 2017, 03:29	—	4.3 MEDIUM
nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection
CVE-2017-1000189 ↗	Nov 17, 2017Friday, 17 November 2017, 03:29	—	5 MEDIUM
nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile()