CVE-2015-8862

MEDIUM

Mustache.js < 2.2.0 - XSS

Title source: rule

Description

mustache package before 2.2.1 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.

References (4)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2016/04/20/11

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/96436

[Exploit, Patch, Vendor Advisory] https://nodesecurity.io/advisories/62

[Third Party Advisory] https://www.tenable.com/security/tns-2016-18

Scores

CVSS v3 6.1

EPSS 0.0013

EPSS Percentile 31.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (3)

mustache.js_project/mustache.js < 2.2.0

npm/mustache < 2.2.1npm

n/a/n/a

Timeline

Published Jan 23, 2017

Tracked Since Feb 18, 2026