Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14cmg3LW01cHAtMzlyNs4AAxTf
XSS Attack with Express API
Impact
XSS attack - anyone using the Express API is impacted
Patches
The problem has been resolved. Users should upgrade to version 2.0.0.
Workarounds
Don't pass user supplied data directly to res.renderFile.
References
Are there any links users can visit to find out more?
See https://github.com/eta-dev/eta/releases/tag/v2.0.0
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14cmg3LW01cHAtMzlyNs4AAxTf
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Identifiers: GHSA-xrh7-m5pp-39r6, CVE-2023-23630
References:
- https://github.com/eta-dev/eta/security/advisories/GHSA-xrh7-m5pp-39r6
- https://github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138dd
- https://nvd.nist.gov/vuln/detail/CVE-2023-23630
- https://github.com/eta-dev/eta/releases/tag/v2.0.0
- https://github.com/advisories/GHSA-xrh7-m5pp-39r6
Blast Radius: 35.9
Affected Packages
npm:eta
Dependent packages: 177Dependent repositories: 15,007
Downloads: 2,158,222 last month
Affected Version Ranges: < 2.0.0
Fixed in: 2.0.0
All affected versions: 0.0.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.13.0, 1.14.0, 1.14.1, 1.14.2
All unaffected versions: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.2.0, 3.3.0, 3.4.0