Description
Eta is an embedded JS templating engine that works inside Node, Deno, and the browser. XSS attack - anyone using the Express API is impacted. The problem has been resolved. Users should upgrade to version 2.0.0. As a workaround, don't pass user supplied things directly to `res.render`.
Remediation
References
https://github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138dd
https://github.com/eta-dev/eta/releases/tag/v2.0.0
https://github.com/eta-dev/eta/security/advisories/GHSA-xrh7-m5pp-39r6
Related Vulnerabilities
CVE-2023-44400 Vulnerability in npm package uptime-kuma
CVE-2020-11022 Vulnerability in maven package org.webjars.bower:jquery
CVE-2020-28461 Vulnerability in npm package js-ini
CVE-2022-36092 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore
CVE-2023-24057 Vulnerability in maven package ca.uhn.hapi.fhir:org.hl7.fhir.convertors