{"id":"UBUNTU-CVE-2023-2142","details":"In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape  functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \\ character.","modified":"2026-05-20T16:13:24.342050308Z","published":"2024-11-26T12:15:00Z","upstream":["CVE-2023-2142"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-2142"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2023-2142"},{"type":"REPORT","url":"https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw"}],"affected":[{"package":{"name":"node-nunjucks","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/node-nunjucks?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.2.3+dfsg+~cs1.0.1-3"],"ecosystem_specific":{"binaries":[{"binary_name":"node-nunjucks","binary_version":"3.2.3+dfsg+~cs1.0.1-3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-2142.json"}},{"package":{"name":"node-nunjucks","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/node-nunjucks?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.2.3+dfsg+~cs1.0.1-3","3.2.4+~cs4.2.7-1"],"ecosystem_specific":{"binaries":[{"binary_name":"node-nunjucks","binary_version":"3.2.4+~cs4.2.7-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-2142.json"}},{"package":{"name":"node-nunjucks","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/node-nunjucks?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.2.4+~cs4.2.7-1","3.2.4+~cs4.2.7-2"],"ecosystem_specific":{"binaries":[{"binary_version":"3.2.4+~cs4.2.7-2","binary_name":"node-nunjucks"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-2142.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]}