CVE-2024-22195

Name of the Vulnerable Software and Affected Versions Jinja2 (affected versions not specified)

Description Jinja is an extensible templating engine that allows writing code similar to Python syntax. The Jinja xmlattr filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to Cross-Site Scripting (XSS). It may also be possible to bypass attribute validation checks if they are blacklist-based. The xmlattr filter in affected versions of Jinja accepts keys containing spaces, which can be used to inject other attributes and perform XSS.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.