CVE-2024-22195
MEDIUMJinja < 3.1.3 - Cross-Site Scripting via xmlattr Filter
Title source: llmDescription
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3/
Third Party Advisory x_refsource_confirm
https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95
Release Notes x_refsource_misc
https://github.com/pallets/jinja/releases/tag/3.1.3
Scores
CVSS v3
5.4
EPSS
0.0015
EPSS Percentile
35.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
palletsprojects/jinja
< 3.1.3
pypi/jinja2
0 - 3.1.3PyPI
Published
Jan 11, 2024
Tracked Since
Feb 18, 2026