OSVDB-131671 (mustache-js-rails): mustache.js - quoteless attributes in templates can lead to XSS

mustache.js - quoteless attributes in templates can lead to XSS

Published: November 17, 2015

SECURITY IDENTIFIERS

OSVDB: OSVDB-131671
Vendor Advisory: https://security.snyk.io/vuln/SNYK-RUBY-MUSTACHEJSRAILS-20242

GEM

mustache-js-rails

PATCHED VERSIONS

>= 2.0.3

DESCRIPTION

The upstream 'mustache.js' node.js module was found to not properly escape backtick (`) and equals (=) characters, leading to possible content injection via attributes in templates.

Example:

Template: <a href={{foo}}/>
Input: { 'foo' : 'test.com onload=alert(1)'}
Rendered result: <a href=test.com onload=alert(1)/>

GHSA-w3w8-37jv-2c58
https://github.com/janl/mustache.js/pull/530
https://security.snyk.io/vuln/SNYK-RUBY-MUSTACHEJSRAILS-20242
https://www.veracode.com/blog/research/handlebarsjs-vulnerability-impact-study

RubySec

OSVDB-131671 (mustache-js-rails): mustache.js - quoteless attributes in templates can lead to XSS

mustache.js - quoteless attributes in templates can lead to XSS

SECURITY IDENTIFIERS

GEM

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories