Description

ExpressJs used with Handlebars as templating engine (invoked via hbs view engine) is vulnerable to a Local File Read vulnerabilty that allows an attacker to read arbitrary files using the layout parameter. The vulnerability appears when code like the example below is used: 

var express = require('express');
var router = express.Router();

router.get('/', function(req, res, next) {
 	res.render('index')
});

router.post('/', function(req, res, next) {
	var profile = req.body.profile
 	res.render('index', profile)
});

module.exports = router;
The problem lies with the following line of code: 
res.render('index', profile)
.

Remediation

Use the code pattern 

res.render('index', { profile })
instead of 
res.render('index', profile)

References

The Secret Parameter, LFR, and Potential RCE in NodeJS Apps

Related Vulnerabilities

WordPress Plugin WP Rocket Local File Inclusion (2.10.3)

WordPress Plugin WordPress Download Manager Multiple Vulnerabilities (3.1.24)

WordPress Plugin Sina Extension for Elementor Local File Inclusion (2.2.0)

WordPress Plugin Anti-Malware Security and Brute-Force Firewall Local File Inclusion (4.18.63)

WordPress Plugin Insert Pages Directory Traversal (3.2.3)

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Directory Traversal