Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
File disclosure in express-hbs
Vulnerability Description
express-hbs is an Express handlebars template engine. express-hbs mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .hbs appended to them. For complete details refer to the referenced GHSL-2021-019 report. Notes in documentation have been added to help users of express-hbs avoid this potential information exposure vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Vulnerability Type
信息暴露
Vulnerability Title
express-hbs 代码注入漏洞
Vulnerability Description
express-hbs是一个具有多种布局、块和缓存部分的Express handlebars模板引擎。 express-hbs 存在代码注入漏洞,该漏洞源于通过Express渲染API将纯模板数据与引擎配置选项混合。布局参数可能会在下游应用程序中触发文件公开漏洞。
CVSS Information
N/A
Vulnerability Type
N/A