CVE-2016-10547 — Cross-Site Scripting in nunjucks

Description

Affected versions of `nunjucks` do not properly escape specially structured user input in template vars when in auto-escape mode, resulting in a cross-site scripting vulnerability. ## Proof of Concept By using an array for the keys in a template var, escaping is bypassed. ```javascript name[]=<script>alert(1)</script> ``` A full PoC is available in the references section. ## Recommendation Update to version 2.4.3 or later.

How to fix CVE-2016-10547

To remediate CVE-2016-10547, upgrade the affected package to a fixed version below.

npm/nunjucks—upgrade to 2.4.3 or later

Is CVE-2016-10547 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.4.3

References (5)

ADVISORYgithub.com/advisories/GHSA-f7ph-p5rv-phw2
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10547
WEBgithub.com/matt-/nunjucks_test
WEBgithub.com/mozilla/nunjucks/issues/835
WEBwww.npmjs.com/advisories/147