CVE-2023-2142
Nunjucks autoescape bypass leads to cross site scripting
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.1EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Lifecycle
26 Nov 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In Nunjucks versions prior to version 3.2.4, it was
possible to bypass the restrictions which are provided by the autoescape
functionality. If there are two user-controlled parameters on the same
line used in the views, it was possible to inject cross site scripting
payloads using the backslash \ character.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
Mozilla · Nunjucks