Description

Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. This issue is fixed in version 9.0.0. For complete details refer to the referenced GHSL-2021-023.

Remediation

References

https://github.com/squirrellyjs/squirrelly/commit/c12418a026f73df645ba927fd29358efe02fed1e

https://github.com/squirrellyjs/squirrelly/commit/dca7a1e7ee91d8a6ffffb655f3f15647486db9da

https://github.com/squirrellyjs/squirrelly/pull/254

https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/

Related Vulnerabilities

CVE-2021-46036 Vulnerability in maven package net.mingsoft:ms-mcms

CVE-2021-39148 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2018-3721 Vulnerability in maven package org.webjars:lodash

CVE-2022-36095 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2020-7961 Vulnerability in maven package com.liferay.portal:portal-impl

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory NVD-CWE-noinfo