Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14NzdqLXc3d2YtZmptd84AAy5c

Nunjucks autoescape bypass leads to cross site scripting

Impact

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

Example

If the user-controlled parameters were used in the views similar to the following:

<script>
let testObject = { lang: '{{ lang }}', place: '{{ place }}' };
</script>

It is possible to inject XSS payload using the below parameters:

https://<application-url>/?lang=jp\&place=};alert(document.domain)//

Patches

The issue was patched in version 3.2.4.

References

Permalink: https://github.com/advisories/GHSA-x77j-w7wf-fjmw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14NzdqLXc3d2YtZmptd84AAy5c
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 11 months ago


Identifiers: GHSA-x77j-w7wf-fjmw, CVE-2023-2142
References: Repository: https://github.com/mozilla/nunjucks

Affected Packages

npm:nunjucks
Dependent packages: 2,944
Dependent repositories: 68,715
Downloads: 2,811,084 last month
Affected Version Ranges: < 3.2.4
Fixed in: 3.2.4
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.3, 1.3.4, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 3.0.0, 3.0.1, 3.1.0, 3.1.2, 3.1.3, 3.1.4, 3.1.6, 3.1.7, 3.2.0, 3.2.1, 3.2.2, 3.2.3
All unaffected versions: 3.2.4