CVE-2023-33962

Name of the Vulnerable Software and Affected Versions JStachio versions prior to 1.0.1

Description JStachio fails to escape single quotes ' in HTML, allowing an attacker to inject malicious code. This can be exploited to execute arbitrary JavaScript code in the context of other users visiting pages that use this template engine, leading to consequences such as session hijacking, defacement of web pages, theft of sensitive information, or propagation of malware.

Recommendations To mitigate this vulnerability, update to version 1.0.1 or later, which contains a patch for this issue. As a temporary workaround, consider using only double quotes " for HTML attributes to avoid the issue. To properly escape special characters, including single quotes, escape ' as &#39.