NodeJS/nunjucks/3.1.4
A powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired)
https://www.npmjs.com/package/nunjucks
BSD-2-Clause
1 Security Vulnerabilities
Nunjucks autoescape bypass leads to cross site scripting
- https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw
- https://github.com/mozilla/nunjucks/pull/1437
- https://github.com/mozilla/nunjucks/commit/ec16d210e7e13f862eccdb0bc9af9f60ff6749d6
- https://bugzilla.mozilla.org/show_bug.cgi?id=1825980
- https://github.com/mozilla/nunjucks/releases/tag/v3.2.4
- https://github.com/advisories/GHSA-x77j-w7wf-fjmw
- https://nvd.nist.gov/vuln/detail/CVE-2023-2142
Impact
In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.
Example
If the user-controlled parameters were used in the views similar to the following:
<script>
let testObject = { lang: '{{ lang }}', place: '{{ place }}' };
</script>
It is possible to inject XSS payload using the below parameters:
https://<application-url>/?lang=jp\&place=};alert(document.domain)//
Patches
The issue was patched in version 3.2.4.
References
58 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 0.1.0 | BSD-2-Clause | 3 | 2012-09-19 - 17:49 | almost 13 years |
| 0.1.0-a6 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 11 years |
| 0.1.0-a5 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 11 years |
| 0.1.0-a4 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 11 years |
| 0.1.0-a3 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 11 years |
| 0.1.0-a2 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 11 years |
| 0.1.0-b1 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 11 years |
| 0.1.0-a1 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 11 years |