haml-coffee is a JavaScript templating solution. haml-coffee mixes pure template data with engine configuration options through the Express render API. More specifically, haml-coffee supports overriding a series of HTML helper functions through its configuration options. A vulnerable application that passes user controlled request objects to the haml-coffee template engine may introduce RCE vulnerabilities. Additionally control over the escapeHtml parameter through template configuration pollution ensures that haml-coffee would not sanitize template inputs that may result in reflected Cross Site Scripting attacks against downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of haml-coffee is currently 1.14.1. For complete details refer to the referenced GHSL-2021-025.
Published 2021-05-14 19:15:08
Updated 2021-08-12 18:06:11
Source GitHub, Inc.
View at NVD,   CVE.org
Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2021-32818

Exploit prediction scoring system (EPSS) score for CVE-2021-32818

0.05%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 24 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-32818

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
3.5
LOW AV:N/AC:M/Au:S/C:N/I:P/A:N
6.8
2.9
NIST
5.4
MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
2.3
2.7
NIST
7.7
HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1.3
5.8
GitHub, Inc.

CWE ids for CVE-2021-32818

References for CVE-2021-32818

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!