{"id":"CVE-2021-23824","details":"This affects the package Crow before 0.3+4. When using attributes without quotes in the template, an attacker can manipulate the input to introduce additional attributes, potentially executing code. This may lead to a Cross-site Scripting (XSS) vulnerability, assuming an attacker can influence the value entered into the template. If the template is used to render user-generated content, this vulnerability may escalate to a persistent XSS vulnerability.","modified":"2026-04-11T13:53:56.769319Z","published":"2022-01-13T15:15:07.867Z","related":["SNYK-UNMANAGED-CROW-2336164"],"references":[{"type":"ADVISORY","url":"https://github.com/CrowCpp/Crow/releases/tag/v0.3%2B4"},{"type":"FIX","url":"https://github.com/CrowCpp/Crow/pull/317"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-UNMANAGED-CROW-2336164"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/crowcpp/crow","events":[{"introduced":"0"},{"fixed":"87adb19e43caf5a060674a9b67a86c8ced944892"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.3\\+4"}]}}],"versions":["0.2","v0.1","v0.3","v0.3+1","v0.3+2","v0.3+3"],"database_specific":{"vanir_signatures":[{"deprecated":false,"target":{"file":"include/crow/utility.h"},"signature_version":"v1","id":"CVE-2021-23824-12a79ab1","signature_type":"Line","digest":{"line_hashes":["270180290808799704625861061071963024447","232430508883035158896717505508516657747","262664243122146650943640823496684020337","72337285499495489527186453586391144079","210137223262671306841970857292267352864"],"threshold":0.9},"source":"https://github.com/crowcpp/crow/commit/87adb19e43caf5a060674a9b67a86c8ced944892"},{"deprecated":false,"target":{"file":"include/crow/http_response.h"},"signature_version":"v1","id":"CVE-2021-23824-22eb7570","signature_type":"Line","digest":{"line_hashes":["68347193707338572655780735745214112181","75431090170659190071408126813171719309","157678522115897480844164175230280748608","37161985171631011887247797072367031586","67535390915801926960878685503464815783","45366827396109642208091888567357783542","285088237170502484940756692658781383876","135602698476873454051713026587222441972","73663215777797141266836468008163805182","95435950148497200904841179096829750864","217174954001912010317510623687502841557","279653976715509980526134319444863917095","176533012934462203669160414455139652648","277029724309103089191107801048706139508","143238353659365097056005863158281479922","221726504558076280436272102859624986373","138479697390760696061275083667369529011","283842939065212764973117180184908921770","315981921241938525026606573486196366912","317682817095151544996293344635419117349","43378816146862448232118425391332105295","164605552352124896191158892769423192199","161258501924634158288687523602049523729","182455298857777160664476819403589201702","65915109713320646252000739139654791984","158071597432579624849081072753603277252","227144715926899675106876236250919234680","104828645232027109331820383377205191834","52871664903745865741000303345400916809","191562794977818463245293520321968551378","30049092263592282760743007935646778188","329096388342410688515348453215555472347","18955442849319742516805496374883681756","338527781759303255709051295625794130673","217396863888995966592027498847640252785","54757274091901067299804988371172780308","155705172552043438090110581887802727000","115348932578231244353017881372075402579","45550267283356082948463188906925400971","271106181268095997400693338505204172248","79014870458553426454902249664018404919","196513286044505674799016839639018707250","207225070235696650824225505123917810916","3771662287613236069616799698771665693","333836902015743260444556393546824413923","5658873948882411464177002242055743710","288821799621751021896467734449647932768","190025386497606822272273689781888281430","113447747807630860045925890588761452333","84738621452473768809203435676001643677","312093055513304837771342992103310862481","305102252216207780961680919205343573671","13998904698740384676166271143508475797","165547691074515685750241188019390975047","283582228540275494141313426393665307490","166923472804827984630825297533270852208","119730811597351196385659538186263990227","325674213517256725348523708649720537314","333783442241703727452495912133250926223","234426306562494503893313705075975745821","298360205172736888474250130942140416659","125692049191960348126948697095729673680","230509748127096425096171086515785006839","305260473803562333268612624121294879101","290523722846281548384725257884371325911","289399905188392423281004488477976025580","17071949305494217580846235623129035776","19691277313472666588625658890407023253","106505192027071638323232178624740006418","305409098144489412097085403687735955863","77989952832798681153193699558561840687","311479050556961999661709235459886293342","123530847225940689002393720425952988312","89244134167468305813329748891246035924","139250720037447251625193348273558269399","112281385015752418163076419586966723419","248903682042886180294500682043915925393","215831503921888146377477691678125399780"],"threshold":0.9},"source":"https://github.com/crowcpp/crow/commit/87adb19e43caf5a060674a9b67a86c8ced944892"},{"deprecated":false,"target":{"file":"include/crow/app.h"},"signature_version":"v1","id":"CVE-2021-23824-26849bb1","signature_type":"Line","digest":{"line_hashes":["313507359345807944316742876431360507294","312531379085409338039787932094326032926","96877839320255063191841887532706315232","1889787201573999232941995969515666820"],"threshold":0.9},"source":"https://github.com/crowcpp/crow/commit/87adb19e43caf5a060674a9b67a86c8ced944892"},{"deprecated":false,"target":{"file":"include/crow/http_server.h"},"signature_version":"v1","id":"CVE-2021-23824-299ee70e","signature_type":"Line","digest":{"line_hashes":["179176771308710962560420685199471274518","122508258239385338830746217484132799030","109118082435682703824262910338378089855","256488247781470943199559653485669475323"],"threshold":0.9},"source":"https://github.com/crowcpp/crow/commit/87adb19e43caf5a060674a9b67a86c8ced944892"},{"deprecated":false,"target":{"file":"include/crow/json.h"},"signature_version":"v1","id":"CVE-2021-23824-71df0c38","signature_type":"Line","digest":{"line_hashes":["122524380980721106675981949636422885900","234882535746867209713223175226296615430","177942544145241628526823439774796657081","194901506599340692581975778161257661412"],"threshold":0.9},"source":"https://github.com/crowcpp/crow/commit/87adb19e43caf5a060674a9b67a86c8ced944892"},{"deprecated":false,"target":{"file":"include/crow/http_connection.h"},"signature_version":"v1","id":"CVE-2021-23824-8782a06a","signature_type":"Line","digest":{"line_hashes":["23257185175207656591290547856034309718","188884322748650166457278578290889460076","65599411412293793072991413149637660606","237487198300810258255713003532364659368","214232837542504027761954615164472310268","5515553167555718878877076999958941397","59553920910973963754928455802851058255","131602138700337235516351043562070463877","188849883887590117210774193366568160557","302527409971546535106871598941405759529","171635833792731202707677143569781355111","269096808306269626648147267541817482295","221151944161876219310842424743111120394","228746098761434737560344535739990617318","87255461712494211372435342762839623976","262267691709341023166314018167645609009","34792941249117369370863400331806368734"],"threshold":0.9},"source":"https://github.com/crowcpp/crow/commit/87adb19e43caf5a060674a9b67a86c8ced944892"},{"deprecated":false,"target":{"function":"load","file":"include/crow/mustache.h"},"signature_version":"v1","id":"CVE-2021-23824-88779099","signature_type":"Function","digest":{"function_hash":"287575781123955048104979900075719967873","length":110},"source":"https://github.com/crowcpp/crow/commit/87adb19e43caf5a060674a9b67a86c8ced944892"},{"deprecated":false,"target":{"function":"escape","file":"include/crow/json.h"},"signature_version":"v1","id":"CVE-2021-23824-9d4323a6","signature_type":"Function","digest":{"function_hash":"204191044483675379121764141661263843381","length":691},"source":"https://github.com/crowcpp/crow/commit/87adb19e43caf5a060674a9b67a86c8ced944892"},{"deprecated":false,"target":{"file":"include/crow/mustache.h"},"signature_version":"v1","id":"CVE-2021-23824-f86a49c4","signature_type":"Line","digest":{"line_hashes":["162099581623391762551084097667763895168","243279579843429086421829427123440591552","27729646556335079989917923631664481320","170758604772593712810658008823389633205","191419419061307971668790491110467767379","31923641268334282549809595137597329774","339372811886929845828192048734722593098","60957758119360296942378310682973869818","65150894221793065847095847805421330053","231241993418671370874560057640211673901","207594312623618426072648813375435649216","101000889827927546599743689497912205574"],"threshold":0.9},"source":"https://github.com/crowcpp/crow/commit/87adb19e43caf5a060674a9b67a86c8ced944892"}],"vanir_signatures_modified":"2026-04-11T13:53:56Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-23824.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}