Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Remote code execution and Reflected cross site scripting in haml-coffee
Vulnerability Description
haml-coffee is a JavaScript templating solution. haml-coffee mixes pure template data with engine configuration options through the Express render API. More specifically, haml-coffee supports overriding a series of HTML helper functions through its configuration options. A vulnerable application that passes user controlled request objects to the haml-coffee template engine may introduce RCE vulnerabilities. Additionally control over the escapeHtml parameter through template configuration pollution ensures that haml-coffee would not sanitize template inputs that may result in reflected Cross Site Scripting attacks against downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of haml-coffee is currently 1.14.1. For complete details refer to the referenced GHSL-2021-025.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
haml 跨站脚本漏洞
Vulnerability Description
haml是Haml(HAML)团队的一款开源的HTML抽象标记语言。 haml-coffee 存在跨站脚本漏洞,haml-coffee支持通过其配置选项覆盖一系列HTML助手函数。通过模板配置污染对escapeHtml参数的控制确保了haml-coffee不会清除可能导致Cross Si的模板输入。
CVSS Information
N/A
Vulnerability Type
N/A