Vulnerabilities > CVE-2023-23630 - Unspecified vulnerability in Eta.Js ETA
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
Eta is an embedded JS templating engine that works inside Node, Deno, and the browser. XSS attack - anyone using the Express API is impacted. The problem has been resolved. Users should upgrade to version 2.0.0. As a workaround, don't pass user supplied things directly to `res.render`.
Vulnerable Configurations
References
- https://github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138dd
- https://github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138dd
- https://github.com/eta-dev/eta/releases/tag/v2.0.0
- https://github.com/eta-dev/eta/releases/tag/v2.0.0
- https://github.com/eta-dev/eta/security/advisories/GHSA-xrh7-m5pp-39r6
- https://github.com/eta-dev/eta/security/advisories/GHSA-xrh7-m5pp-39r6