Out of Band Code Execution via SSTI (Node.js Pug (Jade))
Invicti detected that this page is vulnerable to Server-Side Template Injection (SSTI) attacks by capturing a DNS A request.
Template engine systems can be placed at the View part of MVC based applications and are used to present dynamic data. Template systems have so called expressions.
SSTI occurs when user-supplied data is embedded inside a template and is evaluated as an expression by the template engine.
This is an important issue and should be addressed as soon as possible.
An attacker can inject data that can be evaluated as template engine expressions. This may trick a system to execute an arbitrary system command.
Do not trust the data that users supply and don't add it to directly into the template. Instead, pass user-controlled parameters to the template as template parameters.