Vulnerability	Vulnerable Version
M Improper Control of Dynamically-Managed Code Resources ejs is a popular JavaScript templating engine. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources due to the lack of certain pollution protection mechanisms. An attacker can exploit this vulnerability to manipulate object properties that should not be accessible or modifiable. Note: Even after updating to the fix version that adds enhanced protection against prototype pollution, it is still possible to override the `hasOwnProperty` method. How to fix Improper Control of Dynamically-Managed Code Resources? Upgrade `ejs` to version 3.1.10 or higher.	<3.1.10
H Remote Code Execution (RCE) ejs is a popular JavaScript templating engine. Affected versions of this package are vulnerable to Remote Code Execution (RCE) by passing an unrestricted render option via the `view options` parameter of `renderFile`, which makes it possible to inject code into `outputFunctionName`. Note: This vulnerability is exploitable only if the server is already vulnerable to Prototype Pollution. How to fix Remote Code Execution (RCE)? Upgrade `ejs` to version 3.1.7 or higher.	<3.1.7
M Arbitrary Code Injection ejs is a popular JavaScript templating engine. Affected versions of this package are vulnerable to Arbitrary Code Injection via the `render` and `renderFile`. If external input is flowing into the `options` parameter, an attacker is able run arbitrary code. This include the `filename`, `compileDebug`, and `client` option. How to fix Arbitrary Code Injection? Upgrade `ejs` to version 3.1.6 or higher.	<3.1.6

Go back to all versions of this package