EJS (Embedded JavaScript templates) is a popular templating engine that lets you generate HTML markup with plain JavaScript. Versions 2.3.2 and 2.3.3 share the same core functionality and development dependencies, including tools like Jake for build tasks, JSDoc for documentation, Mocha for testing, Rimraf for file removal, Istanbul for code coverage, LRU-Cache for performance optimization, Uglify-JS for minification, and Browserify for bundling. Both versions are licensed under Apache-2.0 and maintained by Matthew Eernisse.
The primary difference lies in their release dates and potentially bug fixes or minor enhancements included in the newer version. Version 2.3.2 was released on June 29, 2015, while version 2.3.3 was released on July 11, 2015. This roughly two-week gap suggests that version 2.3.3 is likely a patch release incorporating bug fixes or small improvements over its predecessor.
For developers using EJS, this implies that upgrading from 2.3.2 to 2.3.3 is recommended to benefit from any addressed issues and ensure stability. While the core feature set remains consistent, staying up-to-date with patch releases is a good practice. If you're starting a new project utilizing EJS, using the latest version (2.3.3 in this instance) is the advisable choice. Remember to always check the official changelog on the EJS GitHub repository for a detailed list of changes between versions for accurate details.
All the vulnerabilities related to the version 2.3.3 of the package
ejs is vulnerable to remote code execution due to weak input validation
nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function
ejs vulnerable to DoS due to weak input validation
nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in ejs.renderFile()
ejs lacks certain pollution protection
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
mde ejs vulnerable to XSS
nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection
ejs template injection vulnerability
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
