All the vulnerabilities related to the version 0.0.0 of the package
Eta vulnerable to Code Injection via templates rendered with user-defined data
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. Note: This is exploitable only for users who are rendering templates with user-defined data.
XSS Attack with Express API
XSS attack - anyone using the Express API is impacted
The problem has been resolved. Users should upgrade to version 2.0.0.
Don't pass user supplied data directly to res.renderFile.
Are there any links users can visit to find out more? See https://github.com/eta-dev/eta/releases/tag/v2.0.0
