CVE-2021-32818
Last modified
CVE-2021-32818 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. haml-coffee is a JavaScript templating solution. haml-coffee mixes pure template data with engine configuration options through the Express render API. EPSS estimates a 0.70% chance of exploitation in the next 30 days.
Description
haml-coffee is a JavaScript templating solution. haml-coffee mixes pure template data with engine configuration options through the Express render API. More specifically, haml-coffee supports overriding a series of HTML helper functions through its configuration options. A vulnerable application that passes user controlled request objects to the haml-coffee template engine may introduce RCE vulnerabilities. Additionally control over the escapeHtml parameter through template configuration pollution ensures that haml-coffee would not sanitize template inputs that may result in reflected Cross Site Scripting attacks against downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of haml-coffee is currently 1.14.1. For complete details refer to the referenced GHSL-2021-025.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Haml-Coffee Project | Haml-Coffee | <= 1.14.1 |
References
- https://securitylab.github.com/advisories/GHSL-2021-025-haml-coffee/Third Party Advisory
- https://www.npmjs.com/package/haml-coffeeExploit, Product
- https://securitylab.github.com/advisories/GHSL-2021-025-haml-coffee/Third Party Advisory
- https://www.npmjs.com/package/haml-coffeeExploit, Product
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-32818?
How severe is CVE-2021-32818?
How do I fix CVE-2021-32818?
Are you affected by CVE-2021-32818?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST