Bug 1295755

Summary: nodejs-mustache: Content injection via quoteless attributes in templates
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anish.developer, piotr1212
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-mustache 2.2.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-05 12:13:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1291743, 1295756    
Bug Blocks:    

Description Adam Mariš 2016-01-05 12:08:11 UTC 
A content injection vulnerability was found in mustache templates, caused by not using quotes around the attributes in templates.

External reference:

https://nodesecurity.io/advisories/62

Upstream patch:

https://github.com/janl/mustache.js/commit/378bcca8a5cfe4058f294a3dbb78e8755e8e0da5
Comment 1 Adam Mariš 2016-01-05 12:08:41 UTC 
Created nodejs-mustache tracking bugs for this issue:

Affects: fedora-all [bug 1295756]
Comment 2 Adam Mariš 2016-01-05 12:13:38 UTC 

*** This bug has been marked as a duplicate of bug 1291742 ***