[Snyk:Medium] Jinja Cross-site Scripting (XSS) (Due 07/07/2024)

[cnlucas]

Introduced through
jinja2@3.1.3
Fixed in
jinja2@3.1.4

Exploit maturity
No known exploit

Detailed paths and remediation

Introduced through: project@0.0.0 › jinja2@3.1.3
Fix: Upgrade jinja2 to version 3.1.4

Security information
Factors contributing to the scoring:

Snyk: [CVSS 5.4](https://security.snyk.io/vuln/SNYK-PYTHON-JINJA2-6809379) - Medium Severity
NVD: Not available. NVD has not yet published its analysis.

Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the xmlattr filter. An attacker can manipulate the output of web pages by injecting additional attributes into elements, potentially leading to unauthorized actions or information disclosure.

Note: This vulnerability derives from an improper fix of CVE-2024-22195, which only addressed spaces but not other characters.

Completion Criteria

• We have either determined this is not a risk and ignored the flag or vuln is remediated