CVE-2024-45390

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-45390

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45390.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-45390

Aliases

GHSA-q765-wm9j-66qj

Published

2024-09-03T20:15:08Z

Modified

2024-10-08T04:22:27.157496Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature.

References

Affected packages

Git / github.com/blakeembrey/js-template

Affected ranges

Type: GIT
Repo: https://github.com/blakeembrey/js-template
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa

Affected versions

v1.*

v1.0.0

v1.1.0