CVE-2024-45390
CVSS V2 None
CVSS V3 None
Description
@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature.
Overview
- CVE ID
- CVE-2024-45390
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-09-03T19:37:31.763Z
- Last Modified Date
- 2024-09-03T20:01:40.797Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/blakeembrey/js-template/security/advisories/GHSA-q765-wm9j-66qj | x_refsource_CONFIRM |
| https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-45390 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45390 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-09-04 13:08:10 | Added to TrackCVE |