Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2024-22195

Published: 11/01/2024 Updated: 27/01/2024
CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8
VMScore: 0
Subscribe to Palletsprojects

Vulnerability Summary

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

palletsprojects jinja

Vendor Advisories

Debian CVElist Bug Report Logs: jinja2: CVE-2024-22195: HTML attribute injection when passing user input as keys to xmlattr filter
Debian Bug report logs - #1060748 jinja2: CVE-2024-22195: HTML attribute injection when passing user input as keys to xmlattr filter Package: src:jinja2; Maintainer for src:jinja2 is Piotr Ożarowski <piotr@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 13 Jan 2024 16:27:05 UTC Severity ...
Amazon Linux 2: ALAS-2024-2436
Jinja is an extensible templating engine Special placeholders in the template allow writing code similar to Python syntax It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS) The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values ...
Amazon Linux 2: ALAS-2024-2437
Jinja is an extensible templating engine Special placeholders in the template allow writing code similar to Python syntax It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS) The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values ...
Red Hat:
Description<!----> This CVE is under investigation by Red Hat Product Security ...

Github Repositories

https://github.com/Its-Yayo/f-test

F-test is a simple web app test that handles a register format to send data into a MariaDB Database

F-test F-test is a simple web app test that handles a register format to send data into a MariaDB Database made with Flask This simple project is made to learn Flask in a nutshell Check this little wiki / article that I did here :)) Frontend It uses JavaScript, HTML and CSS You can install Node here Backend It uses Flask as a modern framework to build minimal and scalable

References

CWE-79https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95https://github.com/pallets/jinja/releases/tag/3.1.3https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2/https://lists.debian.org/debian-lts-announce/2024/01/msg00010.htmlhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060748https://nvd.nist.govhttps://github.com/Its-Yayo/f-testhttps://alas.aws.amazon.com/AL2/ALAS-2024-2436.html
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-21111CVE-2024-32884IDORCVE-2023-1000CVE-2024-33260CVE-2024-3682reflected XSSrace conditionCVE-2024-3400
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook