CVE-2022-29078

This repository demonstrates a Server-Side Template Injection (SSTI) vulnerability in EJS 3.1.6, leading to Remote Code Execution (RCE). The exploit leverages malicious input in the 'settings' query parameter to execute arbitrary commands via Node.js's child_process module.

This is a functional exploit for CVE-2022-29078, targeting a Server-Side Template Injection (SSTI) vulnerability in the EJS package for Node.js. It delivers a reverse shell payload via a crafted POST request to execute arbitrary commands on the target system.

This repository contains a functional proof-of-concept for CVE-2022-29078, demonstrating a server-side template injection vulnerability in an Express.js application using EJS. The exploit showcases multi-hop taint propagation from user-controlled input to EJS template rendering, bypassing ineffective sanitization.

This repository demonstrates CVE-2022-29078, a server-side template injection vulnerability in EJS 2.7.4, allowing arbitrary JavaScript execution via the `outputFunctionName` parameter. The PoC includes a functional exploit URL that triggers a server crash and explains how Seal Security's patch mitigates the issue.

This PoC exploits CVE-2022-29078, a remote code execution vulnerability in EJS (Embedded JavaScript templates) version 3.1.6. It leverages a prototype pollution attack to inject malicious code into the 'outputFunctionName' setting, allowing arbitrary command execution via Node.js's 'child_process' module.

This repository contains a basic Express.js application with EJS templating but lacks any exploit code or demonstration of CVE-2022-29078. It appears to be a placeholder or incomplete PoC.