Mend has checked all newer package trees, and you are on the least vulnerable package!
Please note: There might be a version that explicitly solves one or more of the vulnerabilities listed below, but we do not recommend it. For more info about the optional fixes, check the "Details" section below.
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
** DISPUTED ** ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input.
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ejs/package.json
Found in HEAD commit: 301eb3dbd5de19b7754d7bff4229321969cc09bc
Please note: There might be a version that explicitly solves one or more of the vulnerabilities listed below, but we do not recommend it. For more info about the optional fixes, check the "Details" section below.
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2023-29827
### Vulnerable Library - ejs-3.1.9.tgzLibrary home page: https://registry.npmjs.org/ejs/-/ejs-3.1.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ejs/package.json
Dependency Hierarchy: - cli-2.0.2.tgz (Root Library) - core-2.8.5.tgz - :x: **ejs-3.1.9.tgz** (Vulnerable Library)
Found in HEAD commit: 301eb3dbd5de19b7754d7bff4229321969cc09bc
Found in base branch: 2.x
### Vulnerability Details** DISPUTED ** ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input.
Publish Date: 2023-05-04
URL: CVE-2023-29827
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.