Lucene search
Veracode Vulnerability DatabaseVERACODE:33518HistoryJan 05, 2022 - 5:42 a.m.
Cross-site Scripting (XSS)
2022-01-0505:42:02
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
6
0.001 Low
EPSS
Percentile
26.4%
latte/latte is vulnerable to cross-site scripting. The vulnerability exists because the library allows to escape the template sandbox through the ‘validateTokens’ function in ‘PhpWriter.php’, allowing an attacker to inject script into web pages and its leads to XSS attack.
| CPE | Name | Operator | Version |
|---|---|---|---|
| latte/latte | le | v2.8.7 | |
| latte/latte | le | v2.10.7 | |
| latte/latte | le | v2.9.5 | |
| latte/latte | le | v2.8.7 | |
| latte/latte | le | v2.10.7 | |
| latte/latte | le | v2.9.5 |
References
github.com/nette/latte/commit/36206444ac8f6a7639c01db2e5aeb7add9b5d848
github.com/nette/latte/commit/9e1b4f7d70f7a9c3fa6753ffa7d7e450a3d4abb0
github.com/nette/latte/commit/a0090afea4c916fd6fe44898501f35b288bce0cb
github.com/nette/latte/releases/tag/v2.10.8
github.com/nette/latte/releases/tag/v2.8.8
github.com/nette/latte/releases/tag/v2.9.6
github.com/nette/latte/security/advisories/GHSA-36m2-8rhx-f36j
Related
cve
cve
CVE-2022-21648
2022-01-04 20:15:08
osv
osv
Sandbox bypass in Latte templates
2022-01-06 23:17:07
CVE-2022-21648
2022-01-04 20:15:08
nvd
nvd
CVE-2022-21648
2022-01-04 20:15:08
debiancve
debiancve
CVE-2022-21648
2022-01-04 20:15:00
ubuntucve
ubuntucve
CVE-2022-21648
2022-01-04 00:00:00
cnvd
cnvd
Latte Cross-Site Scripting Vulnerability
2022-01-06 00:00:00
cvelist
cvelist
CVE-2022-21648 Sandbox bypass in Latte templates
2022-01-04 20:10:11
github
github
Sandbox bypass in Latte templates
2022-01-06 23:17:07
prion
prion
Design/Logic Flaw
2022-01-04 20:15:00