GHSA-xrh7-m5pp-39r6

Source

https://github.com/advisories/GHSA-xrh7-m5pp-39r6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-xrh7-m5pp-39r6/GHSA-xrh7-m5pp-39r6.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-xrh7-m5pp-39r6

Aliases

CVE-2023-23630

Published

2023-01-31T22:39:40Z

Modified

2023-11-01T05:01:12.690170Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVSS Calculator

Summary

XSS Attack with Express API

Details

Impact

XSS attack - anyone using the Express API is impacted

Patches

The problem has been resolved. Users should upgrade to version 2.0.0.

Workarounds

Don't pass user supplied data directly to res.renderFile.

References

Are there any links users can visit to find out more? See https://github.com/eta-dev/eta/releases/tag/v2.0.0

Database specific

{
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2023-02-01T01:15:00Z",
    "github_reviewed_at": "2023-01-31T22:39:40Z",
    "github_reviewed": true
}

References

Affected packages

npm / eta

Package

Name: eta; View open source insights on deps.dev
Purl: pkg:npm/eta

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.0