CVE-2023-23630 – CVE-2023-23630 is a cross-site scripting (XSS) ... (How to Fix)

Q: What is the severity of CVE-2023-23630?

CVE-2023-23630 has a CVSS score of 8.6 (HIGH). CVE-2023-23630 is a cross-site scripting (XSS) vulnerability in the Eta JavaScript templating engine when used with Express API. Attackers can inject malicious scripts that execute in users' browsers when viewing rendered templates. Anyone using Eta with Express is affected.

📋 TL;DR

CVE-2023-23630 is a cross-site scripting (XSS) vulnerability in the Eta JavaScript templating engine when used with Express API. Attackers can inject malicious scripts that execute in users' browsers when viewing rendered templates. Anyone using Eta with Express is affected.

💻 Affected Systems

Products:

Eta JavaScript templating engine

Versions: All versions before 2.0.0

Operating Systems: All platforms where Node.js, Deno, or browsers run

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users of the Express API with Eta; other templating engines or frameworks are not impacted.

📦 What is this software?

Eta by Eta.js

View all CVEs affecting Eta →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of user sessions, credential theft, defacement of web applications, and potential pivot to internal systems.

🟠

Likely Case

Session hijacking, credential theft, and client-side data exfiltration from affected users.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, though XSS could still affect users with elevated privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities are commonly exploited; proof-of-concept exists in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.0

Vendor Advisory: https://github.com/eta-dev/eta/security/advisories/GHSA-xrh7-m5pp-39r6

Restart Required: Yes

Instructions:

1. Update package.json to specify 'eta' version '^2.0.0'. 2. Run 'npm update eta' or 'yarn upgrade eta'. 3. Restart the application server.

🔧 Temporary Workarounds

Avoid direct user input in res.render

all

Do not pass user-supplied data directly to res.render() without proper sanitization.

🧯 If You Can't Patch

Implement strict input validation and output encoding for all user-supplied data passed to templates.
Use Content Security Policy (CSP) headers to mitigate script execution impact.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list eta' to see if version is below 2.0.0.

Check Version:

npm list eta | grep eta

Verify Fix Applied:

Confirm eta version is 2.0.0 or higher via 'npm list eta' and test template rendering with sanitized inputs.

📡 Detection & Monitoring

Log Indicators:

Unusual template rendering errors
Suspicious user input patterns in request logs

Network Indicators:

Malicious script payloads in HTTP requests
Unexpected external resource loads from rendered pages

SIEM Query:

source="web_server" AND (uri="*render*" OR message="*XSS*" OR message="*script*" )

📊 Metadata

CVE ID: CVE-2023-23630

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE: CWE-79

Published: February 1, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138dd Patch,Third Party Advisory
https://github.com/eta-dev/eta/releases/tag/v2.0.0 Release Notes,Third Party Advisory
https://github.com/eta-dev/eta/security/advisories/GHSA-xrh7-m5pp-39r6 Third Party Advisory
https://github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138dd Patch,Third Party Advisory
https://github.com/eta-dev/eta/releases/tag/v2.0.0 Release Notes,Third Party Advisory
https://github.com/eta-dev/eta/security/advisories/GHSA-xrh7-m5pp-39r6 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-23630, you might also want to check these: