CVE-2024-34064

Name of the Vulnerable Software and Affected Versions Jinja versions prior to 3.1.4

Description The issue is related to the xmlattr filter in Jinja, which accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, >, or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys as user input and renders these in pages that other users see, an attacker could use this to inject other attributes and perform cross-site scripting (XSS). The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations For versions prior to 3.1.4, update to version 3.1.4 or later to resolve the issue. As a temporary workaround, consider validating user input for the xmlattr filter to prevent injection of non-attribute characters. Restrict access to the xmlattr filter to minimize the risk of exploitation until the issue is resolved. Avoid using the xmlattr filter with unvalidated user input until the issue is resolved.