CVE-2022-29078

Name of the Vulnerable Software and Affected Versions ejs versions 3.1.6

Description The issue is related to the ejs package for Node.js, which allows server-side template injection in settings[view options][outputFunctionName]. This can be parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command, which is executed upon template compilation. The vulnerability can be exploited by a remote attacker to execute arbitrary commands.

Recommendations For ejs version 3.1.6, consider updating to a newer version that contains a fix for this issue. As a temporary workaround, restrict access to the outputFunctionName option in the settings[view options] to minimize the risk of exploitation. Avoid using the outputFunctionName option in the affected template compilation until the issue is resolved.