CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-32818 – Remote code execution and Reflected cross site scripting in haml-coffee
https://notcve.org/view.php?id=CVE-2021-32818
haml-coffee is a JavaScript templating solution. haml-coffee mixes pure template data with engine configuration options through the Express render API. More specifically, haml-coffee supports overriding a series of HTML helper functions through its configuration options. A vulnerable application that passes user controlled request objects to the haml-coffee template engine may introduce RCE vulnerabilities. Additionally control over the escapeHtml parameter through template configuration pollution ensures that haml-coffee would not sanitize template inputs that may result in reflected Cross Site Scripting attacks against downstream applications. There is currently no fix for these issues as of the publication of this CVE. • https://securitylab.github.com/advisories/GHSL-2021-025-haml-coffee https://www.npmjs.com/package/haml-coffee • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2017-1002201
https://notcve.org/view.php?id=CVE-2017-1002201
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code. En haml versiones anteriores a la versión 5.0.0.beta.2, cuando se usa la entrada del usuario para realizar tareas en el servidor, los caracteres como ( ) " ' necesitan escaparse apropiadamente. En este caso, el carácter ' se perdió. • https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2 https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html https://security.gentoo.org/glsa/202007-27 https://snyk.io/vuln/SNYK-RUBY-HAML-20362 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •