Lucene search
GoogleOSV:GHSA-W3W8-37JV-2C58HistoryOct 24, 2017 - 6:33 p.m.
Cross-Site Scripting in mustache
2017-10-2418:33:36
Google
osv.dev
7
EPSS
0.002
Percentile
61.6%
Versions of mustache prior to 2.2.1 are affected by a cross-site scripting vulnerability when attributes in mustache templates are not quoted.
Example
Template:
<a href />
Input:
{ 'foo' : 'test.com onload=alert(1)'}
Rendered result:
<a href />
Recommendation
Update to version 2.2.1 or later.
Alternatively, ensure that all attributes in hmustache templates are encapsulated with quotes.
References
www.openwall.com/lists/oss-security/2016/04/20/11
www.securityfocus.com/bid/96436
github.com/advisories/GHSA-w3w8-37jv-2c58
github.com/janl/mustache.js
github.com/janl/mustache.js/commit/378bcca8a5cfe4058f294a3dbb78e8755e8e0da5
nvd.nist.gov/vuln/detail/CVE-2015-8862
www.npmjs.com/advisories/62
www.tenable.com/security/tns-2016-18
Related
nodejs
nodejs
Cross-Site Scripting
2015-12-14 17:05:06
prion
prion
Cross site scripting
2017-01-23 21:59:00
ubuntucve
ubuntucve
CVE-2015-8862
2017-01-23 00:00:00
nvd
nvd
CVE-2015-8862
2017-01-23 21:59:00
cve
cve
CVE-2015-8862
2017-01-23 21:59:00
debiancve
debiancve
CVE-2015-8862
2017-01-23 21:59:00
veracode
veracode
Cross-site Scripting (XSS)
2018-04-06 04:28:02
cvelist
cvelist
CVE-2015-8862
2017-01-23 21:00:00
github
github
Cross-Site Scripting in mustache
2017-10-24 18:33:36
nessus
nessus
Tenable Log Correlation Engine (LCE) < 4.8.1 Multiple Vulnerabilities
2017-03-22 00:00:00