CVE-2023-29827 — Vulnetix

Try Vulnetix Request Demo

CVE-2023-29827 PUBLISHED KEV CVSS 9.300000190734863 CRITICAL

ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input.

EPSS 80.82% · 99.1th percentile

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS Score

80.82%

99.1th percentile

Affected Products

Vendor	Product	Versions
ejs	ejs	3.1.9, 3.1.9
n/a	n/a	n/a, n/a

Timeline

Jan 20, 1970 CrowdSec Sighting
Jan 20, 1970 CrowdSec Sighting
Jan 20, 1970 CrowdSec Sighting
Jan 21, 1970 CrowdSec Sighting
Jan 21, 1970 CrowdSec Sighting
Jan 21, 1970 CrowdSec Sighting
Oct 21, 2021 CrowdSec Sighting
Feb 22, 2023 CrowdSec Sighting
May 4, 2023 CVE Published
May 4, 2023 PoC Published
May 5, 2023 EPSS Score
May 9, 2024 CrowdSec Sighting

References

Open in Interactive Console →