latte/latte is vulnerable to cross-site scripting. The vulnerability exists because the library allows to escape the template sandbox through the ‘validateTokens’ function in ‘PhpWriter.php’, allowing an attacker to inject script into web pages and its leads to XSS attack.
CPE | Name | Operator | Version |
---|---|---|---|
latte/latte | le | v2.8.7 | |
latte/latte | le | v2.10.7 | |
latte/latte | le | v2.9.5 | |
latte/latte | le | v2.8.7 | |
latte/latte | le | v2.10.7 | |
latte/latte | le | v2.9.5 |
github.com/nette/latte/commit/36206444ac8f6a7639c01db2e5aeb7add9b5d848
github.com/nette/latte/commit/9e1b4f7d70f7a9c3fa6753ffa7d7e450a3d4abb0
github.com/nette/latte/commit/a0090afea4c916fd6fe44898501f35b288bce0cb
github.com/nette/latte/releases/tag/v2.10.8
github.com/nette/latte/releases/tag/v2.8.8
github.com/nette/latte/releases/tag/v2.9.6
github.com/nette/latte/security/advisories/GHSA-36m2-8rhx-f36j