Lucene search

[email protected]CVE-2023-33962

HistoryMay 30, 2023 - 10:15 p.m.

CVE-2023-33962

2023-05-3022:15:10

CWE-79

[email protected]

web.nvd.nist.gov

jstachio

java

mustache

xss

html

vulnerability

cve-2023-33962

security

patch

mitigation

escape characters

session hijacking

web defacement

information theft

malware

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.7%

JSON

JStachio is a type-safe Java Mustache templating engine. Prior to version 1.0.1, JStachio fails to escape single quotes ' in HTML, allowing an attacker to inject malicious code. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of other users visiting pages that use this template engine. This can lead to various consequences, including session hijacking, defacement of web pages, theft of sensitive information, or even the propagation of malware.

Version 1.0.1 contains a patch for this issue. To mitigate this vulnerability, the template engine should properly escape special characters, including single quotes. Common practice is to escape ' as &#39. As a workaround, users can avoid this issue by using only double quotes " for HTML attributes.

Affected configurations

Vulners

NVD

Node

jstachiojstachioRange<1.0.1

CPENameOperatorVersion
jstachio_project:jstachiojstachio project jstachiolt1.0.1

CPE	Name	Operator	Version
jstachio_project:jstachio	jstachio project jstachio	lt	1.0.1

CNA Affected

[
  {
    "vendor": "jstachio",
    "product": "jstachio",
    "versions": [
      {
        "version": "< 1.0.1",
        "status": "affected"
      }
    ]
  }
]