XSS Attack with Express API
Description
Published to the GitHub Advisory Database
Jan 31, 2023
Reviewed
Jan 31, 2023
Published by the National Vulnerability Database
Feb 1, 2023
Last updated
Feb 8, 2023
Impact
XSS attack - anyone using the Express API is impacted
Patches
The problem has been resolved. Users should upgrade to version 2.0.0.
Workarounds
Don't pass user supplied data directly to
res.renderFile
.References
Are there any links users can visit to find out more?
See https://github.com/eta-dev/eta/releases/tag/v2.0.0
References