PT-2023-12842 · Eta · Eta

Rayhan Ahmed Niloy

Publicado

2023-01-30

Atualizado

2025-03-27

CVE-2022-25967

CVSS v3.1

8.8

Alta

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions eta versions prior to 2.0.0

Description The issue allows for Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. This is exploitable only for users who are rendering templates with user-defined data.

Recommendations For versions prior to 2.0.0, update to version 2.0.0 or later to resolve the issue. As a temporary workaround, consider restricting the rendering of templates with user-defined data until a patch is available.

Exploit

Correção

RCE

Code Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-94

Identificadores relacionados

CVE-2022-25967

GHSA-MF6X-HRGR-658F

Produtos afetados

Eta

PT-2023-12842 · Eta · Eta

CVE-2022-25967

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10