Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14NzdqLXc3d2YtZmptd84AAy5c
Nunjucks autoescape bypass leads to cross site scripting
Impact
In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.
Example
If the user-controlled parameters were used in the views similar to the following:
<script>
let testObject = { lang: '{{ lang }}', place: '{{ place }}' };
</script>
It is possible to inject XSS payload using the below parameters:
https://<application-url>/?lang=jp\&place=};alert(document.domain)//
Patches
The issue was patched in version 3.2.4.
References
Permalink: https://github.com/advisories/GHSA-x77j-w7wf-fjmwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14NzdqLXc3d2YtZmptd84AAy5c
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: about 2 months ago
Identifiers: GHSA-x77j-w7wf-fjmw, CVE-2023-2142
References:
- https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw
- https://github.com/mozilla/nunjucks/pull/1437
- https://github.com/mozilla/nunjucks/commit/ec16d210e7e13f862eccdb0bc9af9f60ff6749d6
- https://bugzilla.mozilla.org/show_bug.cgi?id=1825980
- https://github.com/mozilla/nunjucks/releases/tag/v3.2.4
- https://github.com/advisories/GHSA-x77j-w7wf-fjmw
Affected Packages
npm:nunjucks
Versions: < 3.2.4Fixed in: 3.2.4