AIKIDO-2024-10086
Jinja2 is vulnerable to Cross-site Scripting (XSS)
50
Medium Risk
This Affects:
Jinja2TL;DR
The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, >, or =, as each would be interpreted as starting a separate attribute. If an application accepts keys (instead of just values) as user input and renders them in pages visible to other users, an attacker could exploit this to inject additional attributes and perform Cross-site Scripting (XSS).
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
Jinja2 is vulnerable to Cross-site Scripting (XSS) in versions 2.0 - 3.0.2.
How to fix this
Upgrade the Jinja2 library to the patch version.
Links
GitHub Release
Other
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC/lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE/lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS/lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS/lists.debian.org/debian-lts-announce/2024/12/msg00009.html
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant