Arbitrary Attribute Injection through Unquoted HTML Attribute Values

Arbitrary Attribute Injection through Unquoted HTML Attribute Values

CVE-2023-29400 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

Learn more about our Web Application Penetration Testing UK.