CVE-2023-33962 MEDIUM

CVE-2023-33962: JStachio XSS vulnerability: Unescaped single quotes

Vendor Jstachio
Product jstachio
Weakness CWE-79 · XSS
Published May 30, 2023
Last update January 10, 2025
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

JStachio is a type-safe Java Mustache templating engine. Prior to version 1.0.1, JStachio fails to escape single quotes `'` in HTML, allowing an attacker to inject malicious code. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of other users visiting pages that use this template engine. This can lead to various consequences, including session hijacking, defacement of web pages, theft of sensitive information, or even the propagation of malware. Version 1.0.1 contains a patch for this issue. To mitigate this vulnerability, the template engine should properly escape special characters, including single quotes. Common practice is to escape `'` as `&#39`. As a workaround, users can avoid this issue by using only double quotes `"` for HTML attributes.

Key dates

02Disclosure timeline

May 30, 2023 CVE published
January 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-35639 WordPress Simple Spoiler plugin <= 1.2 - Cross Site Scripting (XSS) vulnerability CVE-2024-32463 phlex makes Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags CVE-2024-4736 Campcodes Legal Case Management System tax cross site scripting CVE-2019-25420 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via snat CVE-2023-4842 Social Sharing Plugin - Social Warfare <= 4.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode