Web: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29078

April 25, 2022, 3:15 p.m. |

National Vulnerability Database nist.gov

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

cve

Field CISO

@ Rubrik | London, United Kingdom

Android-Savvy Reverse Engineer

@ ARSIEM | Laurel, MD

Junior Information Security Analyst

@ IT Concepts Inc. | Washington, District of Columbia, United States

Senior Network Security Engineer

@ UBDS | England, United Kingdom - Remote

Software Engineer, Security Infrastructure

@ Robinhood | US - Remote

Mid-Level Research Cyber Security Engineer (Hybrid options available)

@ Riverside Research | Beavercreek, Ohio

Security Intelligence Manager, Incident Response

@ Atlassian | Sydney, Australia

Security Consultant, Professional Services

@ Amazon.com | Seoul, KOR

Senior Cybersecurity Architect

@ Lucayan Technology Solutions LLC | Tampa, Florida, United States

Application Security Engineer

@ PlayStation Global | United States, San Francisco, CA

Security Engineer I, Offensive Security Penetration Testing

@ Amazon.com | US, TX, Virtual Location - Texas

Cyber Security Engineer

@ GWA Group | Derrimut, Victoria, Australia