You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Introduced through
jinja2@3.1.3
Fixed in
jinja2@3.1.4
Exploit maturity
No known exploit
Detailed paths and remediation
Introduced through: project@0.0.0 › jinja2@3.1.3
Fix: Upgrade jinja2 to version 3.1.4
Security information
Factors contributing to the scoring:
Snyk: [CVSS 5.4](https://security.snyk.io/vuln/SNYK-PYTHON-JINJA2-6809379) - Medium Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the xmlattr filter. An attacker can manipulate the output of web pages by injecting additional attributes into elements, potentially leading to unauthorized actions or information disclosure.
Note: This vulnerability derives from an improper fix of CVE-2024-22195, which only addressed spaces but not other characters.
Completion Criteria
We have either determined this is not a risk and ignored the flag or vuln is remediated
The text was updated successfully, but these errors were encountered:
Introduced through
jinja2@3.1.3
Fixed in
jinja2@3.1.4
Detailed paths and remediation
Security information
Factors contributing to the scoring:
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the xmlattr filter. An attacker can manipulate the output of web pages by injecting additional attributes into elements, potentially leading to unauthorized actions or information disclosure.
Note: This vulnerability derives from an improper fix of CVE-2024-22195, which only addressed spaces but not other characters.
Completion Criteria
The text was updated successfully, but these errors were encountered: