Cross-Site Scripting in bracket-template

Description

All versions of bracket-template are vulnerable to stored cross-site scripting (XSS). This is exploitable when a variable passed in via a GET parameter is used in a template.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 1.1.5

References

• GHSA-jj6g-7j8p-7gf2
• hackerone.com
• www.npmjs.com
• CWE-79
• OWASP 2021-A3

Related Issues

• Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
• Cross-Site Scripting in swagger-ui - swagger-ui - GHSA-4f9m-pxwh-68hg - Vulnerability
• @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details - CVE-2022-39350
• vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS) - CVE-2024-6783

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

bracket-template