CVE-2024-26151

The `mjml` PyPI package, found at the `FelixSchwarz/mjml-python` GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. All users of `FelixSchwarz/mjml-python` who insert untrusted data into mjml templates unless that data is checked in a very strict manner. User input like `<script>` would be rendered as `<script>` in the final HTML output. The attacker must be able to control some data which is later injected in an mjml template which is then send out as email to other users. The attacker could control contents of email messages sent through the platform. The problem has been fixed in version 0.11.0 of this library. Versions before 0.10.0 are not affected by this security issue. As a workaround, ensure that potentially untrusted user input does not contain any sequences which could be rendered as HTML.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 5.3

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/FelixSchwarz/mjml-python/commit/84c495da20a91640a1ca551ace17df7f3be644aa
https://github.com/FelixSchwarz/mjml-python/commit/8d410b7a500703080bb14ed7e3d2663fe16767e6
https://github.com/FelixSchwarz/mjml-python/issues/52
https://github.com/FelixSchwarz/mjml-python/releases/tag/v0.11.0
https://github.com/FelixSchwarz/mjml-python/security/advisories/GHSA-578p-fxmm-6229

Configurations

No configuration.

History

22 Feb 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-22 19:15

Updated : 2024-02-23 02:42

NVD link : CVE-2024-26151

Mitre link : CVE-2024-26151

CVE.ORG link : CVE-2024-26151

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2024-26151", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 5.3, "exploitabilityScore": 2.3}]}, "published": "2024-02-22T19:15:09.300", "references": [{"url": "https://github.com/FelixSchwarz/mjml-python/commit/84c495da20a91640a1ca551ace17df7f3be644aa", "source": "security-advisories@github.com"}, {"url": "https://github.com/FelixSchwarz/mjml-python/commit/8d410b7a500703080bb14ed7e3d2663fe16767e6", "source": "security-advisories@github.com"}, {"url": "https://github.com/FelixSchwarz/mjml-python/issues/52", "source": "security-advisories@github.com"}, {"url": "https://github.com/FelixSchwarz/mjml-python/releases/tag/v0.11.0", "source": "security-advisories@github.com"}, {"url": "https://github.com/FelixSchwarz/mjml-python/security/advisories/GHSA-578p-fxmm-6229", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "The `mjml` PyPI package, found at the `FelixSchwarz/mjml-python` GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. All users of `FelixSchwarz/mjml-python` who insert untrusted data into mjml templates unless that data is checked in a very strict manner. User input like `<script>` would be rendered as `<script>` in the final HTML output. The attacker must be able to control some data which is later injected in an mjml template which is then send out as email to other users. The attacker could control contents of email messages sent through the platform. The problem has been fixed in version 0.11.0 of this library. Versions before 0.10.0 are not affected by this security issue. As a workaround, ensure that potentially untrusted user input does not contain any sequences which could be rendered as HTML."}], "lastModified": "2024-02-23T02:42:54.547", "sourceIdentifier": "security-advisories@github.com"}