VIR Vulnerability Intelligence Relay

CVE-2010-2480

medium
Published 2022-05-17 · Modified 2023-11-08
CVSS v3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS v2
4.3
VIR risk
4.3

Description

Mako before 0.3.4 relies on the cgi.escape function in the Python standard library for cross-site scripting (XSS) protection, which makes it easier for remote attackers to conduct XSS attacks via vectors involving single-quote characters and a JavaScript onLoad event handler for a BODY element.

Predictions

Exploit likelihood
30%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2010-2480

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/39935

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed0.3.4-1
debian debianbullseyefixed0.3.4-1
debian debianforkyfixed0.3.4-1
debian debiansidfixed0.3.4-1
debian debiantrixiefixed0.3.4-1

Package impact
EcosystemPackageVulnerableFixed
python PyPImako<0.3.40.3.4

Application impact
VendorProductVersionsFixed
makotemplatesmako{"endIncluding":"0.3.3"}
makotemplatesmako0.1.0
makotemplatesmako0.1.1
makotemplatesmako0.1.2
makotemplatesmako0.1.3
makotemplatesmako0.1.4
makotemplatesmako0.1.5
makotemplatesmako0.1.6
makotemplatesmako0.1.7
makotemplatesmako0.1.8
makotemplatesmako0.1.9
makotemplatesmako0.1.10
makotemplatesmako0.2.0
makotemplatesmako0.2.1
makotemplatesmako0.2.2
makotemplatesmako0.2.3
makotemplatesmako0.2.4
makotemplatesmako0.2.5
makotemplatesmako0.2.6
makotemplatesmako0.3
makotemplatesmako0.3.1
makotemplatesmako0.3.2

References

CWEs

CWE-79

Verify integrity in audit chain (admin only). AS-IS.