CVE-2021-41170

Name of the Vulnerable Software and Affected Versions neoan3-apps/template versions prior to 1.1.1

Description The issue arises from allowing closures to be passed directly into the template engine, which can execute values that are callable. This can lead to unintended or malicious execution if a value has the same name as a method or function in scope. All users of the package are potentially affected, especially those dealing with direct user input or database values, making a multi-step attack plausible.

Recommendations For versions prior to 1.1.1, the only safe approach is to work with hardcoded values, although this may defeat the purpose of using a template engine. Therefore, it is recommended to upgrade to version 1.1.1 or later to address this vulnerability. As a temporary workaround, consider avoiding the use of closures in the template engine until the issue is resolved.