4.3
CVSSv2

CVE-2017-1000188

Published: 17/11/2017 Updated: 30/11/2017
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8
VMScore: 384
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection

Affected Products

Vendor Product Versions
EjsEjs2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.1, 2.4.2, 2.5.1, 2.5.2, 2.5.3, 2.5.4

Vendor Advisories

nodejs ejs version older than 255 is vulnerable to a Cross-site-scripting in the ejsrenderFile() resulting in code injection ...

Github Repositories

This project is defunct; I'm leaving it because it can give you a huge head start to reproduce something similar, but don't use as is It contains vulnerabilities Github has flagged the EJS dependency as having the following vulnerabilities: CVE-2017-1000188 - Moderate severity CVE-2017-1000189 - High severity CVE-2017-1000228 - High severity You have been warned

WARNING! THIS PROJECT IS NOT LONGER MAINTAINED! Known security vulnerabilities detected Dependency ejs Version < 255 Upgrade to ~> 255 Vulnerabilities CVE-2017-1000189 High severity CVE-2017-1000188 Moderate severity nodejs-dpd-ejs-express Using Deployd module with dpd-express module for nodejs I created simple members area code for reuse in future projects t