Vulnerability Details CVE-2023-29827
ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.696
EPSS Ranking 98.6%
CVSS Severity
CVSS v3 Score 9.8
References