CVE-2022-21648

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-21648

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-21648.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-21648

Aliases

GHSA-36m2-8rhx-f36j

Related

UBUNTU-CVE-2022-21648

Published

2022-01-04T20:15:08Z

Modified

2024-10-12T09:08:19.482042Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Latte is an open source template engine for PHP. Versions since 2.8.0 Latte has included a template sandbox and in affected versions it has been found that a sandbox escape exists allowing for injection into web pages generated from Latte. This may lead to XSS attacks. The issue is fixed in the versions 2.8.8, 2.9.6 and 2.10.8. Users unable to upgrade should not accept template input from untrusted sources.

References

Affected packages

Git / github.com/nette/latte

Affected ranges

Type: GIT
Repo: https://github.com/nette/latte
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9e1b4f7d70f7a9c3fa6753ffa7d7e450a3d4abb0

Affected versions

v2.*

v2.10.1

v2.10.2

v2.10.3

v2.10.4

v2.10.5

v2.10.6

v2.10.7

v2.3.0

v2.3.1

v2.3.2

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.6.0

v2.6.1

v2.6.2

v2.7.0

v2.7.1

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.9.0

v2.9.1

v2.9.2