Looks like bootstrap-email is using vulnerable version of ejs. Could you please update?
yarn list --pattern bootstrap-email
yarn list v1.22.19
└─ bootstrap-email@1.2.9
Package
Affected versions
Patched version
ejs
(npm)
< 3.1.7
3.1.7
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
knopkem
commented
7 months ago
Hello,
Looks like bootstrap-email is using vulnerable version of ejs. Could you please update?
yarn list --pattern bootstrap-email yarn list v1.22.19 └─ bootstrap-email@1.2.9
Package Affected versions Patched version ejs (npm) < 3.1.7 3.1.7 The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).