XSS in client rendered block templates in rendr

Description

Affected versions of rendr are vulnerable to cross-site scripting when client side rendering is done inside a _block.

Server side rendering is not affected and is properly escaped.

Recommendation

Update the rendr package to the latest compatible version. Followings are version details:

• Affected version(s): <= 1.1.3
• Patched version(s): 1.1.4

References

• GHSA-v5hp-35hw-cw5x
• www.npmjs.com
• CVE-2016-1000230
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Eta vulnerable to Code Injection via templates rendered with user-defined data - CVE-2022-25967
• MediaElement Vulnerable to Reflected XSS - CVE-2016-4567
• Cross-Site Scripting (XSS) in pivottable - CVE-2016-1000241
• DOM-based XSS in gmail-js - CVE-2016-1000228

Tags:

npm

rendr