1. Home
  2. CVE Database
  3. CVE-2024-22195
MEDIUM · 5.4

CVE-2024-22195

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML te...

Vulnerability Description

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
PalletsprojectsJinja< 3.1.3

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2024-22195?

CVE-2024-22195 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML te...

How severe is CVE-2024-22195?

CVE-2024-22195 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-22195?

Check the references section above for vendor advisories and patch information. Affected products include: Palletsprojects Jinja.