QwikSec

Security Database

CVE

CWE

Training

CVE-2023-2142

Published: Nov 26, 2024

Modified: Nov 27, 2024

PUBLISHED

Description

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

Vendor	Product	Versions
Mozilla	Nunjucks	affected `0 - < 3.2.4`

Weaknesses (CWE)

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1825980

issue-tracking

https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.