Cross-Site Scripting Vulnerability in EJS Template Engine by Node.js
CVE-2017-1000188

6.1MEDIUM

Key Information:

Vendor: Ejs
Status: Ejs
Vendor: CVE Published:; 17 November 2017

What is CVE-2017-1000188?

The EJS template engine, used alongside Node.js, is prone to a Cross-Site Scripting vulnerability in versions prior to 2.5.5. This issue allows attackers to exploit the ejs.renderFile() function, leading to potential code injection attacks that can compromise the security of web applications utilizing this template engine. It’s crucial for developers to update to the latest version of EJS to secure their applications against such vulnerabilities.

References

https://github.com/mde/ejs/commit/49264e0037e313a0a3e0334...

x_refsource_MISC

http://www.securityfocus.com/bid/101889

vdb-entryx_refsource_BID

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 17, 2017
Vulnerability Reserved
Nov 16, 2017

Ejs

What is CVE-2017-1000188?

References

CVSS V3.1

Timeline