GHSA-x77j-w7wf-fjmw

Suggest an improvement
Source
https://github.com/advisories/GHSA-x77j-w7wf-fjmw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-x77j-w7wf-fjmw/GHSA-x77j-w7wf-fjmw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-x77j-w7wf-fjmw
Aliases
Published
2023-04-20T21:19:24Z
Modified
2024-11-26T18:54:25Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Nunjucks autoescape bypass leads to cross site scripting
Details

Impact

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

Example

If the user-controlled parameters were used in the views similar to the following:

<script>
let testObject = { lang: '{{ lang }}', place: '{{ place }}' };
</script>

It is possible to inject XSS payload using the below parameters:

https://<application-url>/?lang=jp\&place=};alert(document.domain)//

Patches

The issue was patched in version 3.2.4.

References

  • https://bugzilla.mozilla.org/show_bug.cgi?id=1825980
Database specific
{
    "nvd_published_at": "2024-11-26T12:15:18Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-20T21:19:24Z"
}
References

Affected packages

npm / nunjucks

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.4