Описание
Cross-Site Scripting in nunjucks
Affected versions of nunjucks do not properly escape specially structured user input in template vars when in auto-escape mode, resulting in a cross-site scripting vulnerability.
Proof of Concept
By using an array for the keys in a template var, escaping is bypassed.
A full PoC is available in the references section.
Recommendation
Update to version 2.4.3 or later.
Пакеты
nunjucks
< 2.4.3
2.4.3
Связанные уязвимости
Nunjucks is a full featured templating engine for JavaScript. Versions 2.4.2 and lower have a cross site scripting (XSS) vulnerability in autoescape mode. In autoescape mode, all template vars should automatically be escaped. By using an array for the keys, such as `name[]=<script>alert(1)</script>`, it is possible to bypass autoescaping and inject content into the DOM.