MSA-19-0018: JavaScript injection possible in some Mustache templates via recursive rendering from contexts
|
System information
|
|
|
Affected software |
PHP |
Description
|
by Michael Hawkins. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates.Severity/Risk:SeriousVersions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versionsVersions fixed:3.7.2, 3.6.6 and 3.5.8Reported by:Sam Hemelryk, Andrew NicolsCVE identifier:CVE-2019-14827Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=391030&parent=1576204 |
Standar resources
|
Property |
Value |
CVE |
CVE-2019-14827. |