CVE-2023-2142

Name of the Vulnerable Software and Affected Versions Nunjucks versions prior to 3.2.4

Description The issue allows bypassing the restrictions provided by the autoescape functionality in Nunjucks. If two user-controlled parameters are on the same line in the views, it is possible to inject cross-site scripting payloads using the backslash character. This can be achieved when user-controlled parameters are used in a way that allows injection of malicious scripts.

Recommendations For versions prior to 3.2.4, update to version 3.2.4 to resolve the issue. As a temporary workaround, consider restricting the use of user-controlled parameters on the same line in views to minimize the risk of exploitation. Avoid using the backslash character in user-controlled parameters until the issue is resolved.