Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for js-template by blakeembrey
CVE-2024-45390 (GCVE-0-2024-45390)
Vulnerability from nvd – Published: 2024-09-03 19:37 – Updated: 2024-09-03 20:01
VLAI?
Title
@blakeembrey/template vulnerable to code injection when attacker controls template input
Summary
@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature.
Severity ?
7.3 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blakeembrey | js-template |
Affected:
< 1.2.0
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:blakeembrey:js-template:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "js-template",
"vendor": "blakeembrey",
"versions": [
{
"lessThan": "1.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45390",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T19:59:11.259079Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T20:01:40.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "js-template",
"vendor": "blakeembrey",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don\u0027t pass untrusted input as the template display name, or don\u0027t use the display name feature."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T19:37:31.763Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blakeembrey/js-template/security/advisories/GHSA-q765-wm9j-66qj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blakeembrey/js-template/security/advisories/GHSA-q765-wm9j-66qj"
},
{
"name": "https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa"
}
],
"source": {
"advisory": "GHSA-q765-wm9j-66qj",
"discovery": "UNKNOWN"
},
"title": "@blakeembrey/template vulnerable to code injection when attacker controls template input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45390",
"datePublished": "2024-09-03T19:37:31.763Z",
"dateReserved": "2024-08-28T20:21:32.801Z",
"dateUpdated": "2024-09-03T20:01:40.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45390 (GCVE-0-2024-45390)
Vulnerability from cvelistv5 – Published: 2024-09-03 19:37 – Updated: 2024-09-03 20:01
VLAI?
Title
@blakeembrey/template vulnerable to code injection when attacker controls template input
Summary
@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature.
Severity ?
7.3 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blakeembrey | js-template |
Affected:
< 1.2.0
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:blakeembrey:js-template:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "js-template",
"vendor": "blakeembrey",
"versions": [
{
"lessThan": "1.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45390",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T19:59:11.259079Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T20:01:40.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "js-template",
"vendor": "blakeembrey",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don\u0027t pass untrusted input as the template display name, or don\u0027t use the display name feature."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T19:37:31.763Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blakeembrey/js-template/security/advisories/GHSA-q765-wm9j-66qj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blakeembrey/js-template/security/advisories/GHSA-q765-wm9j-66qj"
},
{
"name": "https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa"
}
],
"source": {
"advisory": "GHSA-q765-wm9j-66qj",
"discovery": "UNKNOWN"
},
"title": "@blakeembrey/template vulnerable to code injection when attacker controls template input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45390",
"datePublished": "2024-09-03T19:37:31.763Z",
"dateReserved": "2024-08-28T20:21:32.801Z",
"dateUpdated": "2024-09-03T20:01:40.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}