Security Advisory

CVE-2024-36361

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2024-05-24 06:04:19
Last updated 2025-02-13 15:59:18
Assigner mitre
State PUBLISHED

Description

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.