Impact
What kind of vulnerability is it? Who is impacted?
XSS attack - anyone using the Express API is impacted
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been resolved. Users should upgrade to version 2.0.0.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Don't pass user supplied data directly to res.renderFile.
References
Are there any links users can visit to find out more?
See https://github.com/eta-dev/eta/releases/tag/v2.0.0
agustingianni Analyst
Impact
What kind of vulnerability is it? Who is impacted?
XSS attack - anyone using the Express API is impacted
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been resolved. Users should upgrade to version 2.0.0.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Don't pass user supplied data directly to
res.renderFile.References
Are there any links users can visit to find out more?
See https://github.com/eta-dev/eta/releases/tag/v2.0.0