CVE-2024-22195 — Cross-site Scripting in Jinja

CWE-79 — Cross-site Scripting12 documents8 sources

Severity

6.1MEDIUMNVD

CNA5.4GHSA5.4OSV5.3

EPSS

0.2%

top 64.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pallets Jinja Pocoo Jinja2 Palletsprojects Jinja

Timeline

PublishedJan 11

Latest updateMay 6

Description

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blac…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶PyPIpocoo/jinja2< 3.1.3

▶CVEListV5pallets/jinja< 3.1.4+1

▶NVDpalletsprojects/jinja< 3.1.3

▶Debianpocoo/jinja2< 2.11.3-1+deb11u1+3

▶Ubuntupocoo/jinja2< 2.10.1-2ubuntu0.2+4

🔴Vulnerability Details

GHSA

Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter↗2024-05-06

▶

OSV

jinja2 vulnerabilities↗2024-01-25

▶

OSV

CVE-2024-22195: Jinja is an extensible templating engine↗2024-01-11

▶

CVEList

Jinja vulnerable to Cross-Site Scripting (XSS)↗2024-01-11

▶

OSV

Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter↗2024-01-11

▶

📋Vendor Advisories

Red Hat

jinja2: accepts keys containing non-attribute characters↗2024-05-06

▶

Ubuntu

Jinja2 vulnerabilities↗2024-01-25

▶

Red Hat

jinja2: HTML attribute injection when passing user input as keys to xmlattr filter↗2024-01-11

▶

Microsoft

Jinja vulnerable to Cross-Site Scripting (XSS)↗2024-01-09

▶

Debian

CVE-2024-22195: jinja2 - Jinja is an extensible templating engine. Special placeholders in the template a...↗2024

▶