Vulnerability Details : CVE-2022-21648
Latte is an open source template engine for PHP. Versions since 2.8.0 Latte has included a template sandbox and in affected versions it has been found that a sandbox escape exists allowing for injection into web pages generated from Latte. This may lead to XSS attacks. The issue is fixed in the versions 2.8.8, 2.9.6 and 2.10.8. Users unable to upgrade should not accept template input from untrusted sources.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-21648
- cpe:2.3:a:nette:latte:*:*:*:*:*:*:*:*
- cpe:2.3:a:nette:latte:*:*:*:*:*:*:*:*
- cpe:2.3:a:nette:latte:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-21648
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 30 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-21648
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
8.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N |
2.8
|
4.7
|
GitHub, Inc. |
CWE ids for CVE-2022-21648
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2022-21648
-
https://github.com/nette/latte/security/advisories/GHSA-36m2-8rhx-f36j
A specially constructed input could bypass the sandbox · Advisory · nette/latte · GitHubThird Party Advisory
-
https://github.com/nette/latte/commit/9e1b4f7d70f7a9c3fa6753ffa7d7e450a3d4abb0
PhpWriter: complex expression in strings prohibited in sandbox mode · nette/latte@9e1b4f7 · GitHubPatch;Third Party Advisory
Jump to