1 results (0.001 seconds)
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45390 – @blakeembrey/template vulnerable to code injection when attacker controls template input
https://notcve.org/view.php?id=CVE-2024-45390
03 Sep 2024 — @blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature. • https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa • CWE-94: Improper Control of Generation of Code ('Code Injection') •