← back
CVE-2023-2142

Nunjucks autoescape bypass leads to cross site scripting

CVSS 6.1 MEDIUMEPSS 0.4%CWE-79
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.1EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
26 Nov 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
Mozilla · Nunjucks