ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
ejs ejs 3.1.9 |