CVE-2016-10547

Name of the Vulnerable Software and Affected Versions Nunjucks versions 2.4.2 and lower

Description The issue concerns a cross-site scripting vulnerability in autoescape mode. Normally, all template variables should be automatically escaped in this mode. However, by using an array for the keys, such as name[]=<script>alert(1)</script>, it is possible to bypass autoescaping and inject content into the DOM. This allows for the injection of malicious scripts, potentially leading to unauthorized actions on the affected system.

Recommendations Update to version 2.4.3 or later. As a temporary workaround, consider restricting the use of array keys in template variables to minimize the risk of exploitation.