CVE-2024-36361 — Pug allows JavaScript code execution if an application accepts untrusted input

描述

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the `compileClient`, `compileFileClient`, or `compileClientWithDependenciesTracked` function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

如何修補 CVE-2024-36361

要修補 CVE-2024-36361,請將受影響套件升級到下列已修補版本。

—升級至 3.0.3 或更新版本
—升級至 3.0.3 或更新版本

CVE-2024-36361 正在被利用嗎?

低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。

受影響套件(2)

from 0, < 3.0.3
from 0, < 3.0.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

參考連結(10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-36361
PATCHgithub.com/pugjs/pug
WEBgithub.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug
WEBgithub.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328