CVE-2023-2142 | THREATINT

Description

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

PUBLISHED Reserved 2023-04-18 | Published 2024-11-26 | Updated 2024-11-27 | Assigner mozilla

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unknown

Any version before 3.2.4

affected

Credits

blaiddx64 finder

References

bugzilla.mozilla.org/show_bug.cgi?id=1825980 issue-tracking

github.com/...njucks/security/advisories/GHSA-x77j-w7wf-fjmw vendor-advisory

cve.org (CVE-2023-2142)

nvd.nist.gov (CVE-2023-2142)

Download JSON