CVE-2021-32818

Name of the Vulnerable Software and Affected Versions haml-coffee versions prior to 1.14.1

Description haml-coffee is a JavaScript templating solution that mixes pure template data with engine configuration options through the Express render API. It supports overriding a series of HTML helper functions through its configuration options. A vulnerable application that passes user-controlled request objects to the haml-coffee template engine may introduce Remote Code Execution (RCE) vulnerabilities. Additionally, control over the escapeHtml parameter through template configuration pollution ensures that haml-coffee would not sanitize template inputs, which may result in reflected Cross Site Scripting attacks against downstream applications.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.