CVE-2023-2142 (GCVE-0-2023-2142)

Vulnerability from cvelistv5 – Published: 2024-11-26 11:24 – Updated: 2024-11-27 16:19
VLAI?
Title
Nunjucks autoescape bypass leads to cross site scripting
Summary
In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.
Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
Mozilla Nunjucks Affected: 0 , < 3.2.4 (semver)
Create a notification for this product.
Credits
blaiddx64
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:mozilla:nunjucks:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "nunjucks",
            "vendor": "mozilla",
            "versions": [
              {
                "lessThan": "3.2.4",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-2142",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-27T16:17:55.829952Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-27T16:19:44.548Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Nunjucks",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "3.2.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "blaiddx64"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn Nunjucks versions prior to version 3.2.4, it was \npossible to bypass the restrictions which are provided by the autoescape\n functionality. If there are two user-controlled parameters on the same \nline used in the views, it was possible to inject cross site scripting \npayloads using the backslash \u003ccode\u003e\\\u003c/code\u003e character.\u003c/p\u003e"
            }
          ],
          "value": "In Nunjucks versions prior to version 3.2.4, it was \npossible to bypass the restrictions which are provided by the autoescape\n functionality. If there are two user-controlled parameters on the same \nline used in the views, it was possible to inject cross site scripting \npayloads using the backslash \\ character."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-26T11:24:15.422Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1825980"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Nunjucks autoescape bypass leads to cross site scripting",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2023-2142",
    "datePublished": "2024-11-26T11:24:15.422Z",
    "dateReserved": "2023-04-18T08:19:20.097Z",
    "dateUpdated": "2024-11-27T16:19:44.548Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In Nunjucks versions prior to version 3.2.4, it was \\npossible to bypass the restrictions which are provided by the autoescape\\n functionality. If there are two user-controlled parameters on the same \\nline used in the views, it was possible to inject cross site scripting \\npayloads using the backslash \\\\ character.\"}, {\"lang\": \"es\", \"value\": \"En las versiones de Nunjucks anteriores a la versi\\u00f3n 3.2.4, era posible eludir las restricciones que proporciona la funci\\u00f3n de escape autom\\u00e1tico. Si hay dos par\\u00e1metros controlados por el usuario en la misma l\\u00ednea utilizada en las vistas, era posible inyectar payloads de cross-site scripting utilizando el car\\u00e1cter de barra invertida \\\\.\"}]",
      "id": "CVE-2023-2142",
      "lastModified": "2024-11-27T17:15:05.200",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}]}",
      "published": "2024-11-26T12:15:18.307",
      "references": "[{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1825980\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw\", \"source\": \"security@mozilla.org\"}]",
      "sourceIdentifier": "security@mozilla.org",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security@mozilla.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-2142\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2024-11-26T12:15:18.307\",\"lastModified\":\"2025-06-24T16:42:52.533\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Nunjucks versions prior to version 3.2.4, it was \\npossible to bypass the restrictions which are provided by the autoescape\\n functionality. If there are two user-controlled parameters on the same \\nline used in the views, it was possible to inject cross site scripting \\npayloads using the backslash \\\\ character.\"},{\"lang\":\"es\",\"value\":\"En las versiones de Nunjucks anteriores a la versi\u00f3n 3.2.4, era posible eludir las restricciones que proporciona la funci\u00f3n de escape autom\u00e1tico. Si hay dos par\u00e1metros controlados por el usuario en la misma l\u00ednea utilizada en las vistas, era posible inyectar payloads de cross-site scripting utilizando el car\u00e1cter de barra invertida \\\\.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security@mozilla.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:nunjucks:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.2.4\",\"matchCriteriaId\":\"AEEE5C7E-56D7-4DB4-A58B-4AC206EDA1D3\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1825980\",\"source\":\"security@mozilla.org\",\"tags\":[\"Issue Tracking\",\"Permissions Required\"]},{\"url\":\"https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-2142\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-27T16:17:55.829952Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:mozilla:nunjucks:*:*:*:*:*:*:*:*\"], \"vendor\": \"mozilla\", \"product\": \"nunjucks\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.2.4\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-27T16:19:37.787Z\"}}], \"cna\": {\"title\": \"Nunjucks autoescape bypass leads to cross site scripting\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"blaiddx64\"}], \"impacts\": [{\"capecId\": \"CAPEC-63\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-63 Cross-Site Scripting (XSS)\"}]}], \"affected\": [{\"vendor\": \"Mozilla\", \"product\": \"Nunjucks\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.2.4\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1825980\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In Nunjucks versions prior to version 3.2.4, it was \\npossible to bypass the restrictions which are provided by the autoescape\\n functionality. If there are two user-controlled parameters on the same \\nline used in the views, it was possible to inject cross site scripting \\npayloads using the backslash \\\\ character.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIn Nunjucks versions prior to version 3.2.4, it was \\npossible to bypass the restrictions which are provided by the autoescape\\n functionality. If there are two user-controlled parameters on the same \\nline used in the views, it was possible to inject cross site scripting \\npayloads using the backslash \u003ccode\u003e\\\\\u003c/code\u003e character.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"shortName\": \"mozilla\", \"dateUpdated\": \"2024-11-26T11:24:15.422Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-2142\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-27T16:19:44.548Z\", \"dateReserved\": \"2023-04-18T08:19:20.097Z\", \"assignerOrgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"datePublished\": \"2024-11-26T11:24:15.422Z\", \"assignerShortName\": \"mozilla\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.