CVE-2021-37634

EPSS 0.31%
Veröffentlicht 09.08.2021 20:15:07
Zuletzt bearbeitet 21.11.2024 06:15:34
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Leafkit is a templating language with Swift-inspired syntax. Versions prior to 1.3.0 are susceptible to Cross-site Scripting (XSS) attacks. This affects anyone passing unsanitised data to Leaf's variable tags. Before this fix, Leaf would not escape any strings passed to tags as variables. If an attacker managed to find a variable that was rendered with their unsanitised data, they could inject scripts into a generated Leaf page, which could enable XSS attacks if other mitigations such as a Content Security Policy were not enabled. This has been patched in 1.3.0. As a workaround sanitize any untrusted input before passing it to Leaf and enable a CSP to block inline script and CSS data.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vapor ≫ Leafkit Version < 1.3.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.31%	0.512

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
security-advisories@github.com	7.4	2.8	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/vapor/leaf-kit-ghsa-rv3x-xq3r-8j9h/pull/1

Broken Link

https://github.com/vapor/leaf-kit/security/advisories/GHSA-rv3x-xq3r-8j9h

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-37634

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-37634

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-37634

EUVD