Content Injection due to quoteless attributes Affecting mustache package, versions <2.2.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.29% (69th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Content Injection due to quoteless attributes vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDnpm:mustache:20151207
  • published14 Dec 2015
  • disclosed7 Dec 2015
  • creditMatias P. Brutti

Introduced: 7 Dec 2015

CVE-2015-8862  (opens in a new tab)
CWE-79  (opens in a new tab)

Overview

When using attributes without quotes in a mustache template, an attacker can manipulate the input to introduce additional attributes, potentially executing code. This may lead to a Cross-site Scripting (XSS) vulnerability, assuming an attacker can influence the value entered into the template. If the mustache template is used to render user-generated content, this vulnerability may escalate to a persistent XSS vulnerability.

Example

For example, assume mustache was used to display user comments, using the following template: <a href={{email}}>{{name}}</a><pre>{{comment}}</pre>

If an attacker spoofed his email address and provided the following value: jane@evil.org onload=alert(document.cookie)

The resulting HTML would be: <a href=wizard@evil.org onload=alert(document.cookie)>Evil Wizard</a><pre>Busted!</pre>

CVSS Scores

version 3.1