CVE-2023-23630
XSS attack vulnerability in eta (npm)
What is CVE-2023-23630 About?
This vulnerability is a Cross-Site Scripting (XSS) attack impacting users of the Express API via the eta-dev/eta template engine. Successful exploitation allows for arbitrary client-side code execution within the user's browser context, potentially leading to session hijacking or data theft. Exploitation is relatively easy if user-supplied data is not properly sanitized before being passed to 'res.renderFile'.
Affected Software
Technical Details
The XSS vulnerability resides in the eta template engine, specifically when user-supplied data is directly passed to the res.renderFile method without proper sanitization. An attacker can inject malicious script tags or other executable HTML into input fields that are later rendered by the application. When a victim's browser processes this rendered template, the injected script executes within the victim's session, leading to arbitrary client-side code execution. The underlying mechanism is the lack of output encoding for untrusted input.
What is the Impact of CVE-2023-23630?
Successful exploitation may allow attackers to execute arbitrary client-side scripts, hijack user sessions, deface web content, or steal sensitive information from affected users.
What is the Exploitability of CVE-2023-23630?
Exploitation is of low to moderate complexity, primarily requiring an attacker to inject malicious script into input fields that are subsequently rendered by the vulnerable res.renderFile function. No specific authentication or elevated privileges are required; any user capable of submitting data processed by the vulnerable function can execute the attack. This is primarily a remote vulnerability. The likelihood of exploitation is increased when applications directly embed user-controlled input into rendered templates without proper sanitization or encoding, making it a common client-side attack vector.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-23630?
About the Fix from Resolved Security
Available Upgrade Options
- eta
- <2.0.0 → Upgrade to 2.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-23630
- https://github.com/eta-dev/eta/releases/tag/v2.0.0
- https://github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138dd
- https://github.com/eta-dev/eta/releases/tag/v2.0.0
- https://osv.dev/vulnerability/GHSA-xrh7-m5pp-39r6
- https://github.com/eta-dev/eta/security/advisories/GHSA-xrh7-m5pp-39r6
- https://github.com/eta-dev/eta
- https://github.com/eta-dev/eta/security/advisories/GHSA-xrh7-m5pp-39r6
- https://github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138dd
What are Similar Vulnerabilities to CVE-2023-23630?
Similar Vulnerabilities: CVE-2023-24884 , CVE-2023-38038 , CVE-2023-37905 , CVE-2023-36868 , CVE-2023-29406
