PT-2024-4417 · Ejs+3 · Ejs+3
Published
2024-04-28
·
Updated
2024-08-09
·
CVE-2024-33883
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
ejs versions prior to 3.1.10
Description
The issue is related to the lack of certain pollution protection in the ejs package, which can be exploited to execute arbitrary code by injecting specially crafted JavaScript code. This can be done by a remote attacker through the template engine's output. The estimated number of potentially affected devices is not specified.
Recommendations
For versions prior to 3.1.10, upgrade the ejs package to version 3.1.10 or later to mitigate the issue. As a temporary workaround, consider restricting the use of the ejs template engine until a patch is applied. Avoid using the ejs package for rendering untrusted input until the issue is resolved.
Exploit
Fix
Protection Mechanism Failure
Prototype Pollution
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Astra Linux
Debian
Red Os
Ejs