schwarzdavid / bootstrap-email

MIT License
27 stars 11 forks source link

Critical vulnerability #37

Open DimitriOstapenko opened 10 months ago

DimitriOstapenko commented 10 months ago

Hello,

Looks like bootstrap-email is using vulnerable version of ejs. Could you please update?

yarn list --pattern bootstrap-email yarn list v1.22.19 └─ bootstrap-email@1.2.9

Package Affected versions Patched version ejs (npm) < 3.1.7 3.1.7 The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

knopkem commented 9 months ago

https://www.npmjs.com/package/@knopkem/bootstrap-email