CVE-2010-2480 — Cross-site Scripting in Mako

CWE-79 — Cross-site Scripting8 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 41.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Makotemplates Mako Debian Mako

Timeline

PublishedJul 2

Latest updateMay 17

Description

Mako before 0.3.4 relies on the cgi.escape function in the Python standard library for cross-site scripting (XSS) protection, which makes it easier for remote attackers to conduct XSS attacks via vectors involving single-quote characters and a JavaScript onLoad event handler for a BODY element.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

▶debiandebian/mako< mako 0.3.4-1 (bookworm)

▶PyPImakotemplates/mako< 0.3.4

▶Debianmakotemplates/mako< 0.3.4-1+3

▶NVDmakotemplates/mako0.3.3+21

🔴Vulnerability Details

OSV

Mako contains Cross-site Scripting vulnerability↗2022-05-17

▶

GHSA

Mako contains Cross-site Scripting vulnerability↗2022-05-17

▶

OSV

CVE-2010-2480: Mako before 0↗2010-07-02

▶

📋Vendor Advisories

Ubuntu

Mako vulnerability↗2010-09-29

▶

Red Hat

v0.3.4): Improper escaping of single quotes in escape.cgi (XSS)↗2010-06-23

▶

Debian

CVE-2010-2480: mako - Mako before 0.3.4 relies on the cgi.escape function in the Python standard libra...↗2010

▶

💬Community

Bugzilla

CVE-2010-2480 Python-Mako (prior v0.3.4): Improper escaping of single quotes in escape.cgi (XSS)↗2010-06-30

▶