Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter #2439

Open
fnielsen opened this issue Mar 20, 2024 · 2 comments · Fixed by #2447
Open

Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter #2439

fnielsen opened this issue Mar 20, 2024 · 2 comments · Fixed by #2447
Labels
bug something wrong on our end

Comments

@fnielsen
Copy link
Collaborator

Describe the bug
https://nvd.nist.gov/vuln/detail/CVE-2024-22195

Additional context

Affected is < 3.1.3. Patched is 3.1.3
@fnielsen fnielsen added the bug something wrong on our end label Mar 20, 2024
@fnielsen
Copy link
Collaborator Author

Jinja2>=3.1.3 in https://github.com/WDscholia/scholia/blob/master/requirements.txt

fnielsen added a commit that referenced this issue Mar 21, 2024
@fnielsen
Fix #2439 Jinja vulnerability
f1e9769 
Related to https://nvd.nist.gov/vuln/detail/CVE-2024-22195
@fnielsen fnielsen mentioned this issue Mar 21, 2024
Merged
10 tasks
fnielsen added a commit that referenced this issue Mar 21, 2024
@fnielsen
Fix #2439 Jinja vulnerability
97e04cd 
Related to https://nvd.nist.gov/vuln/detail/CVE-2024-22195
@fnielsen
Copy link
Collaborator Author

There is another requirement: https://github.com/WDscholia/scholia/blob/master/docs/requirements.txt

@fnielsen fnielsen reopened this Mar 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug something wrong on our end
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #2439 Jinja vulnerability WDscholia/scholia
1 participant
@fnielsen