Severity: high

Cross-Site Scripting

mustache

Overview

Versions of mustache prior to 2.2.1 are affected by a cross-site scripting vulnerability when attributes in mustache templates are not quoted.

Example

Template: <a href={{foo}}/>

Input: { 'foo' : 'test.com onload=alert(1)'}

Rendered result: <a href=test.com onload=alert(1)/>

Remediation

Update to version 2.2.1 or later. Alternatively, ensure that all attributes in hmustache templates are encapsulated with quotes.

Resources

Advisory timeline

  1. published

    Advisory published
    Dec 14th, 2015
  2. reported

    Dec 14th, 2015