NodeJS/nunjucks/1.3.3

A powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired)

Repo Link: https://www.npmjs.com/package/nunjucks
License: BSD

3 Security Vulnerabilities

Cross-Site Scripting in nunjucks

Published date: 2018-11-06T23:13:37Z

CVE: CVE-2016-10547

Links:

Affected versions of nunjucks do not properly escape specially structured user input in template vars when in auto-escape mode, resulting in a cross-site scripting vulnerability.

Proof of Concept

By using an array for the keys in a template var, escaping is bypassed. javascript name[]=<script>alert(1)</script>

A full PoC is available in the references section.

Recommendation

Update to version 2.4.3 or later.

Affected versions: ["0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.1.4", "0.1.5", "0.1.6", "0.1.7", "0.1.8", "0.1.9", "0.1.10", "1.0.0", "0.1.0-a1", "0.1.0-a2", "0.1.0-a3", "0.1.0-a4", "0.1.0-a5", "0.1.0-a6", "0.1.0-b1", "0.1.4-a", "0.1.8-a", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.1.0", "1.2.0", "1.3.0", "1.3.1", "1.3.3", "1.3.4", "2.0.0", "2.1.0", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.4.2"]

Secure versions: [3.2.4]

Recommendation: Update to version 3.2.4.

Nunjucks autoescape bypass leads to cross site scripting

Published date: 2023-04-20T21:19:24Z

CVE: CVE-2023-2142

Links:

Impact

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

Example

If the user-controlled parameters were used in the views similar to the following: <script> let testObject = { lang: '{{ lang }}', place: '{{ place }}' }; </script>

It is possible to inject XSS payload using the below parameters: https://<application-url>/?lang=jp\&place=};alert(document.domain)//

Patches

The issue was patched in version 3.2.4.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1825980

Secure versions: [3.2.4]

Recommendation: Update to version 3.2.4.

XSS in autoescape mode

Published date: 2016-10-17

CVSS Score: 6.3

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Coordinating vendor: ^Lift Security

Links:

Nunjucks is a full featured templating engine for JavaScript.

Versions 2.4.2 and lower have a cross site scripting (XSS) vulnerability in autoescape mode. In autoescape mode, all template vars should automatically be escaped. By using an array for the keys, such as name[]=<script>alert(1)</script>, it is possible to bypass autoescaping and inject content into the DOM.

Secure versions: [3.2.4]

Recommendation: Upgrade to version 2.4.3 or later.

58 Other Versions

Version	License	Security	Released
3.2.4	BSD-2-Clause		2023-04-13 - 14:43	about 1 year
3.2.3	BSD-2-Clause	1	2021-02-15 - 19:38	over 3 years
3.2.2	BSD-2-Clause	1	2020-07-20 - 04:38	almost 4 years
3.2.1	BSD-2-Clause	1	2020-03-17 - 13:48	about 4 years
3.2.0	BSD-2-Clause	1	2019-03-05 - 17:30	about 5 years
3.1.7	BSD-2-Clause	1	2019-01-12 - 18:40	over 5 years
3.1.6	BSD-2-Clause	1	2018-12-13 - 23:58	over 5 years
3.1.4	BSD-2-Clause	1	2018-11-09 - 05:15	over 5 years
3.1.3	BSD-2-Clause	1	2018-05-19 - 15:52	almost 6 years
3.1.2	BSD-2-Clause	1	2018-02-24 - 00:35	about 6 years
3.1.0	BSD-2-Clause	1	2018-02-20 - 04:38	about 6 years
3.0.1	BSD-2-Clause	1	2017-05-24 - 13:10	almost 7 years
3.0.0	BSD-2-Clause	1	2016-11-05 - 10:35	over 7 years
2.5.2	BSD-2-Clause	1	2016-09-14 - 09:13	over 7 years
2.5.1	BSD-2-Clause	1	2016-09-13 - 07:30	over 7 years
2.5.0	BSD-2-Clause	1	2016-09-07 - 20:38	over 7 years
2.4.3	BSD-2-Clause	1	2016-09-07 - 16:39	over 7 years
2.4.2	BSD-2-Clause	3	2016-04-15 - 21:30	about 8 years
2.4.1	BSD-2-Clause	3	2016-03-17 - 18:44	about 8 years
2.4.0	BSD-2-Clause	3	2016-03-10 - 21:20	about 8 years
2.3.0	BSD-2-Clause	3	2016-01-06 - 23:04	over 8 years
2.2.0	BSD-2-Clause	3	2015-11-23 - 20:27	over 8 years
2.1.0	BSD-2-Clause	3	2015-09-21 - 20:39	over 8 years
2.0.0	BSD-2-Clause	3	2015-08-28 - 00:11	over 8 years
1.3.4	BSD	3	2015-04-27 - 20:38	about 9 years
1.3.3	BSD	3	2015-04-03 - 21:43	about 9 years
1.3.1	BSD	3	2015-04-03 - 20:50	about 9 years
1.3.0	BSD	3	2015-04-03 - 16:43	about 9 years
1.2.0	BSD	3	2015-02-04 - 22:05	over 9 years
1.1.0	BSD	3	2014-09-30 - 17:36	over 9 years
1.0.7	BSD	3	2014-08-15 - 19:09	almost 10 years
1.0.6	BSD	3	2014-08-15 - 19:00	almost 10 years
1.0.5	BSD	3	2014-05-02 - 00:50	about 10 years
1.0.4	BSD	3	2014-04-04 - 20:47	about 10 years
1.0.3	BSD	3	2014-04-04 - 20:43	about 10 years
1.0.2	BSD	3	2014-03-25 - 19:35	about 10 years
1.0.1	BSD	3	2013-12-16 - 23:12	over 10 years
1.0.0	BSD-2-Clause	3	2013-10-24 - 20:09	over 10 years
0.1.10	BSD-2-Clause	3	2013-08-09 - 14:42	almost 11 years
0.1.9	BSD-2-Clause	3	2013-05-31 - 04:47	almost 11 years
0.1.8	BSD-2-Clause	3	2013-02-06 - 18:20	over 11 years
0.1.8-a	BSD-2-Clause	3	2013-12-16 - 23:11	over 10 years
0.1.7	BSD-2-Clause	3	2012-12-12 - 17:01	over 11 years
0.1.6	BSD-2-Clause	3	2012-11-13 - 16:49	over 11 years
0.1.5	BSD-2-Clause	3	2012-10-11 - 18:27	over 11 years
0.1.4	BSD-2-Clause	3	2012-10-03 - 18:35	over 11 years
0.1.4-a	BSD-2-Clause	3	2013-12-16 - 23:11	over 10 years
0.1.3	BSD-2-Clause	3	2012-10-01 - 19:07	over 11 years
0.1.2	BSD-2-Clause	3	2012-09-20 - 16:25	over 11 years
0.1.1	BSD-2-Clause	3	2012-09-20 - 16:25	over 11 years
0.1.0	BSD-2-Clause	3	2012-09-19 - 17:49	over 11 years
0.1.0-a6	BSD-2-Clause	3	2013-12-16 - 23:11	over 10 years
0.1.0-a5	BSD-2-Clause	3	2013-12-16 - 23:11	over 10 years
0.1.0-a4	BSD-2-Clause	3	2013-12-16 - 23:11	over 10 years
0.1.0-a3	BSD-2-Clause	3	2013-12-16 - 23:11	over 10 years
0.1.0-a2	BSD-2-Clause	3	2013-12-16 - 23:11	over 10 years
0.1.0-b1	BSD-2-Clause	3	2013-12-16 - 23:11	over 10 years
0.1.0-a1	BSD-2-Clause	3	2013-12-16 - 23:11	over 10 years