Server Side Template Injection (EJS)
- PCI 3.2-6.5.1
- CWE 94
- CWE 95
- CAPEC 23
- OWASP 2013-A1
Server-side template injection occurs when user input is unsafely embedded into a server-side template, allowing users to inject template directives. Using malicious template directives, an attacker may execute arbitrary code and take full control of the web server.
Remediation
Avoid creating templates from user input. Instead pass user input to the template using template parameters.
References
Go Back to List
Search Vulnerability
You may also see
- Server Side Template Injection (Mako)
- Server Side Template Injection (Tornado)
- Server Side Template Injection (Jinja)
- Server Side Template Injection (Slim)
- Server Side Template Injection (ERB)
- Server Side Template Injection (Smarty)
- Server Side Template Injection (Twig)
- Server Side Template Injection (Nunjucks)
- Server Side Template Injection (Pug)
- Server Side Template Injection (doT)
- Server Side Template Injection (Marko)
- Server Side Template Injection (EJS)
- Server Side Template Injection (Freemarker)
- Server Side Template Injection (Velocity)
- Code Injection
- Server Side Template Injection