Vulnerability Description
Nunjucks is a full featured templating engine for JavaScript. Versions 2.4.2 and lower have a cross site scripting (XSS) vulnerability in autoescape mode. In autoescape mode, all template vars should automatically be escaped. By using an array for the keys, such as `name[]=<script>alert(1)</script>`, it is possible to bypass autoescaping and inject content into the DOM.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Nunjucks | <= 2.4.2 |
Related Weaknesses (CWE)
References
- https://github.com/matt-/nunjucks_testExploitThird Party Advisory
- https://github.com/mozilla/nunjucks/issues/835ExploitThird Party Advisory
- https://nodesecurity.io/advisories/147ExploitThird Party Advisory
- https://github.com/matt-/nunjucks_testExploitThird Party Advisory
- https://github.com/mozilla/nunjucks/issues/835ExploitThird Party Advisory
- https://nodesecurity.io/advisories/147ExploitThird Party Advisory
FAQ
What is CVE-2016-10547?
CVE-2016-10547 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Nunjucks is a full featured templating engine for JavaScript. Versions 2.4.2 and lower have a cross site scripting (XSS) vulnerability in autoescape mode. In autoescape mode, all template vars should ...
How severe is CVE-2016-10547?
CVE-2016-10547 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-10547?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Nunjucks.