CVE-2022-29078

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Configurations

Configuration 1

cpe:2.3:a:ejs:ejs:3.1.6:*:*:*:*:node.js:*:*

Information

Published : 2022-04-25 03:15

Updated : 2022-11-09 09:29


NVD link : CVE-2022-29078

Mitre link : CVE-2022-29078

Products Affected
No products.
CWE