jinja2@3.0.1 vulnerabilities

A very fast and expressive template engine.

latest version

3.1.4
latest non vulnerable version

3.1.4
first published

16 years ago
latest version published

12 days ago
licenses detected
- BSD-3-Clause
  [2.10.2,3.1.4)
View jinja2 package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the jinja2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the `xmlattr` filter. An attacker can manipulate the output of web pages by injecting additional attributes into elements, potentially leading to unauthorized actions or information disclosure. Note: This vulnerability derives from an improper fix of CVE-2024-22195, which only addressed spaces but not other characters. How to fix Cross-site Scripting (XSS)? Upgrade `Jinja2` to version 3.1.4 or higher.	[,3.1.4)
M Cross-site Scripting (XSS) Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `xmlattr` filter, when using keys containing spaces in an application accepts keys as user input. An attacker can inject arbitrary HTML attributes into the rendered HTML template, bypassing the auto-escaping mechanism, which may lead to the execution of untrusted scripts in the context of the user's browser session. Note Accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix. How to fix Cross-site Scripting (XSS)? Upgrade `Jinja2` to version 3.1.3 or higher.	[,3.1.3)

Cross-site Scripting (XSS)

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the xmlattr filter. An attacker can manipulate the output of web pages by injecting additional attributes into elements, potentially leading to unauthorized actions or information disclosure.

Note: This vulnerability derives from an improper fix of CVE-2024-22195, which only addressed spaces but not other characters.

How to fix Cross-site Scripting (XSS)?

Upgrade Jinja2 to version 3.1.4 or higher.

[,3.1.4)

Cross-site Scripting (XSS)

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the xmlattr filter, when using keys containing spaces in an application accepts keys as user input. An attacker can inject arbitrary HTML attributes into the rendered HTML template, bypassing the auto-escaping mechanism, which may lead to the execution of untrusted scripts in the context of the user's browser session.

Note Accepting keys as user input is not common or a particularly intended use case of the xmlattr filter, and an application doing so should already be verifying what keys are provided regardless of this fix.

How to fix Cross-site Scripting (XSS)?

Upgrade Jinja2 to version 3.1.3 or higher.

[,3.1.3)

Go back to all versions of this package

jinja2@3.0.1 vulnerabilities

A very fast and expressive template engine.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities