XSS attack - anyone using the Express API is impacted
The problem has been resolved. Users should upgrade to version 2.0.0.
Don't pass user supplied data directly to res.renderFile
.
Are there any links users can visit to find out more? See https://github.com/eta-dev/eta/releases/tag/v2.0.0
{ "nvd_published_at": "2023-02-01T01:15:00Z", "github_reviewed_at": "2023-01-31T22:39:40Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }