CVE-2018-3735

Vulnerability

The NPM package bracket-template version 1.1.5 and earlier contains a reflected cross-site scripting vulnerability. When a user-supplied variable passed via a GET parameter is directly embedded into a template without proper sanitization, the package does not escape the output, allowing arbitrary HTML or JavaScript injection [1][2].

Exploitation

An attacker can craft a malicious URL containing a GET parameter with embedded JavaScript code. The victim must be tricked into visiting that URL while the application using bracket-template renders the template with the unsanitized parameter [1][2]. No authentication is required beyond the victim's session with the affected application.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session [1][2]. This can lead to session hijacking, credential theft, defacement, or other actions that the victim can perform on the origin web application.

Mitigation

Users should upgrade bracket-template to version 1.1.6 or later, which fixes the vulnerability [2]. The patch was published to npm on July 27, 2018. If upgrading is not immediately possible, applications should manually escape user input before rendering it in templates.