NodeJS/nunjucks/1.3.3


A powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired)

https://www.npmjs.com/package/nunjucks
BSD

3 Security Vulnerabilities

Cross-Site Scripting in nunjucks

Published date: 2018-11-06T23:13:37Z
CVE: CVE-2016-10547
Links:

Affected versions of nunjucks do not properly escape specially structured user input in template vars when in auto-escape mode, resulting in a cross-site scripting vulnerability.

Proof of Concept

By using an array for the keys in a template var, escaping is bypassed. javascript name[]=<script>alert(1)</script>

A full PoC is available in the references section.

Recommendation

Update to version 2.4.3 or later.

Affected versions: ["0.1.3", "0.1.5", "0.1.8", "0.1.9", "1.0.0", "0.1.0-a1", "0.1.0-a3", "0.1.0-a4", "0.1.0-a6", "0.1.8-a", "1.0.1", "1.0.4", "1.0.6", "1.0.7", "1.1.0", "1.2.0", "1.3.1", "1.3.3", "2.0.0", "2.3.0", "2.4.1", "0.1.0", "0.1.1", "0.1.2", "0.1.4", "0.1.6", "0.1.7", "0.1.10", "0.1.0-a2", "0.1.0-a5", "0.1.0-b1", "0.1.4-a", "1.0.2", "1.0.3", "1.0.5", "1.3.0", "1.3.4", "2.1.0", "2.2.0", "2.4.0", "2.4.2"]
Secure versions: [3.2.4]
Recommendation: Update to version 3.2.4.

Nunjucks autoescape bypass leads to cross site scripting

Published date: 2023-04-20T21:19:24Z
CVE: CVE-2023-2142
Links:

Impact

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

Example

If the user-controlled parameters were used in the views similar to the following: <script> let testObject = { lang: '{{ lang }}', place: '{{ place }}' }; </script>

It is possible to inject XSS payload using the below parameters: https://<application-url>/?lang=jp\&place=};alert(document.domain)//

Patches

The issue was patched in version 3.2.4.

References

Affected versions: ["0.1.3", "0.1.5", "0.1.8", "0.1.9", "1.0.0", "0.1.0-a1", "0.1.0-a3", "0.1.0-a4", "0.1.0-a6", "0.1.8-a", "1.0.1", "1.0.4", "1.0.6", "1.0.7", "1.1.0", "1.2.0", "1.3.1", "1.3.3", "2.0.0", "2.3.0", "2.4.1", "3.0.1", "3.1.2", "3.1.3", "3.1.4", "3.1.6", "3.2.2", "0.1.0", "0.1.1", "0.1.2", "0.1.4", "0.1.6", "0.1.7", "0.1.10", "0.1.0-a2", "0.1.0-a5", "0.1.0-b1", "0.1.4-a", "1.0.2", "1.0.3", "1.0.5", "1.3.0", "1.3.4", "2.1.0", "2.2.0", "2.4.0", "2.4.2", "2.4.3", "2.5.0", "2.5.1", "2.5.2", "3.0.0", "3.1.0", "3.1.7", "3.2.0", "3.2.1", "3.2.3"]
Secure versions: [3.2.4]
Recommendation: Update to version 3.2.4.

XSS in autoescape mode

Published date: 2016-10-17
CVSS Score: 6.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Coordinating vendor: ^Lift Security
Links:

Nunjucks is a full featured templating engine for JavaScript.

Versions 2.4.2 and lower have a cross site scripting (XSS) vulnerability in autoescape mode. In autoescape mode, all template vars should automatically be escaped. By using an array for the keys, such as name[]=<script>alert(1)</script>, it is possible to bypass autoescaping and inject content into the DOM.

Affected versions: ["0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.1.4", "0.1.5", "0.1.6", "0.1.7", "0.1.8", "0.1.9", "0.1.10", "1.0.0", "0.1.0-a1", "0.1.0-a2", "0.1.0-a3", "0.1.0-a4", "0.1.0-a5", "0.1.0-a6", "0.1.0-b1", "0.1.4-a", "0.1.8-a", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.1.0", "1.2.0", "1.3.0", "1.3.1", "1.3.3", "1.3.4", "2.0.0", "2.1.0", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.4.2", "NodeJS/nunjucks/0.1.3", "NodeJS/nunjucks/0.1.5", "NodeJS/nunjucks/0.1.8", "NodeJS/nunjucks/0.1.9", "NodeJS/nunjucks/1.0.0", "NodeJS/nunjucks/0.1.0-a1", "NodeJS/nunjucks/0.1.0-a3", "NodeJS/nunjucks/0.1.0-a4", "NodeJS/nunjucks/0.1.0-a6", "NodeJS/nunjucks/0.1.8-a", "NodeJS/nunjucks/1.0.1", "NodeJS/nunjucks/1.0.4", "NodeJS/nunjucks/1.0.6", "NodeJS/nunjucks/1.0.7", "NodeJS/nunjucks/1.1.0", "NodeJS/nunjucks/1.2.0", "NodeJS/nunjucks/1.3.1", "NodeJS/nunjucks/1.3.3", "NodeJS/nunjucks/2.0.0", "NodeJS/nunjucks/2.3.0", "NodeJS/nunjucks/2.4.1", "NodeJS/nunjucks/0.1.0", "NodeJS/nunjucks/0.1.1", "NodeJS/nunjucks/0.1.2", "NodeJS/nunjucks/0.1.4", "NodeJS/nunjucks/0.1.6", "NodeJS/nunjucks/0.1.7", "NodeJS/nunjucks/0.1.10", "NodeJS/nunjucks/0.1.0-a2", "NodeJS/nunjucks/0.1.0-a5", "NodeJS/nunjucks/0.1.0-b1", "NodeJS/nunjucks/0.1.4-a", "NodeJS/nunjucks/1.0.2", "NodeJS/nunjucks/1.0.3", "NodeJS/nunjucks/1.0.5", "NodeJS/nunjucks/1.3.0", "NodeJS/nunjucks/1.3.4", "NodeJS/nunjucks/2.1.0", "NodeJS/nunjucks/2.2.0", "NodeJS/nunjucks/2.4.0", "NodeJS/nunjucks/2.4.2"]
Secure versions: [3.2.4]
Recommendation: Upgrade to version 2.4.3 or later.

58 Other Versions

Version License Security Released
0.1.0 BSD-2-Clause 3 2012-09-19 - 17:49 almost 13 years
0.1.0-a6 BSD-2-Clause 3 2013-12-16 - 23:11 over 11 years
0.1.0-a5 BSD-2-Clause 3 2013-12-16 - 23:11 over 11 years
0.1.0-a4 BSD-2-Clause 3 2013-12-16 - 23:11 over 11 years
0.1.0-a3 BSD-2-Clause 3 2013-12-16 - 23:11 over 11 years
0.1.0-a2 BSD-2-Clause 3 2013-12-16 - 23:11 over 11 years
0.1.0-b1 BSD-2-Clause 3 2013-12-16 - 23:11 over 11 years
0.1.0-a1 BSD-2-Clause 3 2013-12-16 - 23:11 over 11 years