NodeJS/ejs/2.7.4
Embedded JavaScript templates
https://www.npmjs.com/package/ejs
Apache-2.0
2 Security Vulnerabilities
ejs lacks certain pollution protection
Published date: 2024-04-28T18:30:31Z
CVE: CVE-2024-33883
Links:
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Affected versions:
["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.1.0", "0.2.0", "0.2.1", "0.3.0", "0.3.1", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.5.0", "0.6.0", "0.6.1", "0.7.0", "0.7.1", "0.7.2", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.8.5", "0.8.6", "0.8.8", "1.0.0", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.4.1", "2.4.2", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.5.6", "2.5.7", "2.5.8", "2.5.9", "2.6.1", "2.6.2", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "3.0.1", "3.0.2", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "3.1.6", "3.1.7", "3.1.8", "3.1.9"]
Secure versions:
[3.1.10]
Recommendation:
Update to version 3.1.10.
ejs template injection vulnerability
Published date: 2022-04-26T00:00:40Z
CVE: CVE-2022-29078
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-29078
- https://eslam.io/posts/ejs-server-side-template-injection-rce/
- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf
- https://github.com/advisories/GHSA-phwq-j96m-2c2q
- https://github.com/mde/ejs/releases
- https://security.netapp.com/advisory/ntap-20220804-0001/
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Affected versions:
["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.1.0", "0.2.0", "0.2.1", "0.3.0", "0.3.1", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.5.0", "0.6.0", "0.6.1", "0.7.0", "0.7.1", "0.7.2", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.8.5", "0.8.6", "0.8.8", "1.0.0", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.4.1", "2.4.2", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.5.6", "2.5.7", "2.5.8", "2.5.9", "2.6.1", "2.6.2", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "3.0.1", "3.0.2", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "3.1.6"]
Secure versions:
[3.1.10]
Recommendation:
Update to version 3.1.10.
75 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
3.1.10 | Apache-2.0 | 2024-04-12 - 15:23 | 26 days | |
3.1.9 | Apache-2.0 | 1 | 2023-03-12 - 19:29 | about 1 year |
3.1.8 | Apache-2.0 | 1 | 2022-05-11 - 18:55 | almost 2 years |
3.1.7 | Apache-2.0 | 1 | 2022-04-20 - 16:41 | about 2 years |
3.1.6 | Apache-2.0 | 2 | 2021-02-06 - 20:28 | about 3 years |
3.1.5 | Apache-2.0 | 2 | 2020-08-17 - 16:01 | over 3 years |
3.1.4 | Apache-2.0 | 2 | 2020-08-17 - 15:59 | over 3 years |
3.1.3 | Apache-2.0 | 2 | 2020-05-17 - 07:00 | almost 4 years |
3.1.2 | Apache-2.0 | 2 | 2020-04-24 - 04:27 | about 4 years |
3.0.2 | Apache-2.0 | 2 | 2020-03-29 - 18:40 | about 4 years |
3.0.1 | Apache-2.0 | 2 | 2019-11-24 - 01:43 | over 4 years |
2.7.4 | Apache-2.0 | 2 | 2019-11-19 - 19:16 | over 4 years |
2.7.3 | Apache-2.0 | 2 | 2019-11-19 - 02:00 | over 4 years |
2.7.2 | Apache-2.0 | 2 | 2019-11-13 - 20:52 | over 4 years |
2.7.1 | Apache-2.0 | 2 | 2019-09-02 - 19:31 | over 4 years |
2.6.2 | Apache-2.0 | 2 | 2019-06-15 - 15:26 | almost 5 years |
2.6.1 | Apache-2.0 | 2 | 2018-05-05 - 18:52 | about 6 years |
2.5.9 | Apache-2.0 | 2 | 2018-04-19 - 03:13 | about 6 years |
2.5.8 | Apache-2.0 | 2 | 2018-03-26 - 00:25 | about 6 years |
2.5.7 | Apache-2.0 | 2 | 2017-07-30 - 03:30 | almost 7 years |
2.5.6 | Apache-2.0 | 2 | 2017-02-16 - 20:43 | about 7 years |
2.5.5 | Apache-2.0 | 2 | 2016-12-06 - 08:05 | over 7 years |
2.5.4 | Apache-2.0 | 4 | 2016-12-05 - 22:09 | over 7 years |
2.5.3 | Apache-2.0 | 4 | 2016-11-28 - 21:18 | over 7 years |
2.5.2 | Apache-2.0 | 5 | 2016-09-07 - 14:46 | over 7 years |
2.5.1 | Apache-2.0 | 5 | 2016-07-25 - 17:21 | almost 8 years |
2.4.2 | Apache-2.0 | 5 | 2016-05-24 - 19:20 | almost 8 years |
2.4.1 | Apache-2.0 | 5 | 2016-01-24 - 05:07 | over 8 years |
2.3.4 | Apache-2.0 | 5 | 2015-09-07 - 04:06 | over 8 years |
2.3.3 | Apache-2.0 | 5 | 2015-07-11 - 20:10 | almost 9 years |
2.3.2 | Apache-2.0 | 5 | 2015-06-29 - 00:23 | almost 9 years |
2.3.1 | Apache-2.0 | 5 | 2015-02-23 - 01:25 | about 9 years |
2.2.4 | Apache-2.0 | 5 | 2015-02-01 - 18:31 | over 9 years |
2.2.3 | Apache-2.0 | 5 | 2015-01-23 - 23:52 | over 9 years |
2.2.2 | Apache-2.0 | 5 | 2015-01-21 - 22:30 | over 9 years |
2.2.1 | Apache-2.0 | 5 | 2015-01-20 - 06:11 | over 9 years |
2.1.4 | Apache-2.0 | 5 | 2015-01-12 - 19:08 | over 9 years |
2.1.3 | Apache-2.0 | 5 | 2015-01-12 - 03:10 | over 9 years |
2.1.2 | Apache-2.0 | 5 | 2015-01-11 - 20:16 | over 9 years |
2.1.1 | Apache-2.0 | 5 | 2015-01-11 - 17:55 | over 9 years |
2.0.8 | Apache-2.0 | 5 | 2015-01-06 - 21:03 | over 9 years |
2.0.7 | Apache-2.0 | 5 | 2015-01-05 - 20:52 | over 9 years |
2.0.6 | Apache-2.0 | 5 | 2015-01-05 - 00:45 | over 9 years |
2.0.5 | Apache-2.0 | 5 | 2015-01-04 - 23:22 | over 9 years |
2.0.4 | Apache-2.0 | 5 | 2015-01-04 - 23:19 | over 9 years |
2.0.3 | Apache-2.0 | 5 | 2015-01-04 - 18:50 | over 9 years |
2.0.2 | Apache-2.0 | 5 | 2015-01-04 - 07:05 | over 9 years |
1.0.0 | Apache-2.0 | 5 | 2014-03-24 - 16:32 | about 10 years |
0.8.8 | Apache-2.0 | 5 | 2014-03-24 - 16:29 | about 10 years |
0.8.6 | Apache-2.0 | 5 | 2014-03-21 - 16:10 | about 10 years |
0.8.5 | Apache-2.0 | 5 | 2013-11-22 - 00:20 | over 10 years |
0.8.4 | Apache-2.0 | 5 | 2013-05-08 - 16:40 | almost 11 years |
0.8.3 | Apache-2.0 | 5 | 2012-09-13 - 17:39 | over 11 years |
0.8.2 | Apache-2.0 | 5 | 2012-08-16 - 16:10 | over 11 years |
0.8.1 | Apache-2.0 | 5 | 2012-08-11 - 19:08 | over 11 years |
0.8.0 | Apache-2.0 | 5 | 2012-07-25 - 15:47 | almost 12 years |
0.7.2 | Apache-2.0 | 5 | 2012-06-22 - 15:23 | almost 12 years |
0.7.1 | Apache-2.0 | 5 | 2012-03-26 - 15:49 | about 12 years |
0.7.0 | Apache-2.0 | 5 | 2012-03-25 - 03:22 | about 12 years |
0.6.1 | Apache-2.0 | 5 | 2011-12-10 - 00:03 | over 12 years |
0.6.0 | Apache-2.0 | 5 | 2011-12-09 - 23:53 | over 12 years |
0.5.0 | Apache-2.0 | 5 | 2011-11-20 - 19:57 | over 12 years |
0.4.3 | Apache-2.0 | 5 | 2011-06-20 - 15:43 | almost 13 years |
0.4.2 | Apache-2.0 | 5 | 2011-05-11 - 16:41 | almost 13 years |
0.4.1 | Apache-2.0 | 5 | 2011-04-21 - 16:12 | about 13 years |
0.4.0 | Apache-2.0 | 5 | 2011-04-21 - 15:38 | about 13 years |
0.3.1 | Apache-2.0 | 5 | 2011-02-24 - 03:08 | about 13 years |
0.3.0 | Apache-2.0 | 5 | 2011-02-14 - 21:15 | about 13 years |
0.2.1 | Apache-2.0 | 5 | 2011-02-14 - 21:15 | about 13 years |
0.2.0 | Apache-2.0 | 5 | 2011-02-14 - 21:15 | about 13 years |
0.1.0 | Apache-2.0 | 5 | 2011-02-14 - 21:15 | about 13 years |
0.0.4 | Apache-2.0 | 5 | 2011-02-14 - 21:15 | about 13 years |
0.0.3 | Apache-2.0 | 5 | 2011-02-14 - 21:15 | about 13 years |
0.0.2 | Apache-2.0 | 5 | 2011-02-14 - 21:15 | about 13 years |
0.0.1 | Apache-2.0 | 5 | 2011-02-14 - 21:15 | about 13 years |