Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2015-5215

Опубликовано: 19 авг. 2015
Источник: redhat
CVSS2: 4.3

Описание

The default configuration of the Jinja templating engine used in the Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not enable auto-escaping, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via template variables. NOTE: This may be a duplicate of CVE-2015-5216. Moreover, the Jinja development team does not enable auto-escape by default for performance issues as explained in https://jinja.palletsprojects.com/en/master/faq/#why-is-autoescaping-not-the-default.

It was found that the Ipsilon IdP server used the default configuration of the Jinja templating engine, which did not HTML escape template variables. This could be exploited to perform an XSS attack if a value from untrusted input was used in the template and rendered in the user`s browser.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 7ipsilonAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=1255168ipsilon: XSS in multiple pages

4.3 Medium

CVSS2

Связанные уязвимости

nvd логотип

CVE-2015-5215

CVSS3: 6.1
nvd
почти 6 лет назад

The default configuration of the Jinja templating engine used in the Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not enable auto-escaping, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via template variables. NOTE: This may be a duplicate of CVE-2015-5216. Moreover, the Jinja development team does not enable auto-escape by default for performance issues as explained in https://jinja.palletsprojects.com/en/master/faq/#why-is-autoescaping-not-the-default.

debian логотип

CVE-2015-5215

CVSS3: 6.1
debian
почти 6 лет назад

The default configuration of the Jinja templating engine used in the I ...

github логотип

GHSA-m72r-m3rm-547r

CVSS3: 6.1
github
больше 3 лет назад

** DISPUTED ** The default configuration of the Jinja templating engine used in the Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not enable auto-escaping, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via template variables. NOTE: This may be a duplicate of CVE-2015-5216. Moreover, the Jinja development team does not enable auto-escape by default for performance issues as explained in https://jinja.palletsprojects.com/en/master/faq/#why-is-autoescaping-not-the-default.

4.3 Medium

CVSS2