CVE-2023-2142

CVE-2023-2142: Nunjucks autoescape bypass leads to cross site scripting

Vendor Mozilla
Product Nunjucks
Weakness CWE-79 · XSS
Published November 26, 2024
Last update November 27, 2024

CVSS base score

What the vulnerability does

01Description

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

Key dates

02Disclosure timeline

November 26, 2024 CVE published
November 27, 2024 Record updated