Nunjucks autoescape bypass leads to cross site scripting

Description

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

Recommendation

Update the nunjucks package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.2.4
• Patched version(s): 3.2.4

References

• GHSA-x77j-w7wf-fjmw
• bugzilla.mozilla.org
• CVE-2023-2142
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• vxe-table Cross-site Scripting vulnerability - CVE-2023-1001
• Cross-site Scripting in cesium - CVE-2023-48094
• Froala Editor Cross-site Scripting vulnerability - CVE-2023-41592
• @excalidraw/excalidraw Cross-site Scripting vulnerability - CVE-2023-26140

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

nunjucks