CVE-2016-10547

CVE Database · CVE-2016-10547

CVE-2016-10547

· N/AModified

CVSS v3.1

N/A

EPSS

1.44%

Published

May 31, 2018

Modified

Nov 20, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Nunjucks is a full featured templating engine for JavaScript. Versions 2.4.2 and lower have a cross site scripting (XSS) vulnerability in autoescape mode. In autoescape mode, all template vars should automatically be escaped. By using an array for the keys, such as `name[]=<script>alert(1)</script>`, it is possible to bypass autoescaping and inject content into the DOM.

Weaknesses (CWE)

CWE-79CWE-79

Affected Products (1)

mozilla · nunjucksvulnerable

References (6)

https://github.com/matt-/nunjucks_test

ExploitThird Party Advisory

https://github.com/mozilla/nunjucks/issues/835

ExploitThird Party Advisory

https://nodesecurity.io/advisories/147

ExploitThird Party Advisory

https://github.com/matt-/nunjucks_test

ExploitThird Party Advisory

https://github.com/mozilla/nunjucks/issues/835

ExploitThird Party Advisory

https://nodesecurity.io/advisories/147

KEV Catalog EPSS Scores Vendors All CVEs