CVE-2023-2142

{"id": "CVE-2023-2142", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-11-26T12:15:18.307", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1825980", "tags": ["Issue Tracking", "Permissions Required"], "source": "[email protected]"}, {"url": "https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "In Nunjucks versions prior to version 3.2.4, it was \npossible to bypass the restrictions which are provided by the autoescape\n functionality. If there are two user-controlled parameters on the same \nline used in the views, it was possible to inject cross site scripting \npayloads using the backslash \\ character."}, {"lang": "es", "value": "En las versiones de Nunjucks anteriores a la versi\u00f3n 3.2.4, era posible eludir las restricciones que proporciona la funci\u00f3n de escape autom\u00e1tico. Si hay dos par\u00e1metros controlados por el usuario en la misma l\u00ednea utilizada en las vistas, era posible inyectar payloads de cross-site scripting utilizando el car\u00e1cter de barra invertida \\."}], "lastModified": "2025-06-24T16:42:52.533", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:nunjucks:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEEE5C7E-56D7-4DB4-A58B-4AC206EDA1D3", "versionEndExcluding": "3.2.4"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}