Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNjcXItNThybS01N2Y4
Arbitrary Code Execution in Handlebars
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Permalink: https://github.com/advisories/GHSA-3cqr-58rm-57f8JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNjcXItNThybS01N2Y4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 5 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
Identifiers: GHSA-3cqr-58rm-57f8, CVE-2019-20920
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-20920
- https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
- https://www.npmjs.com/advisories/1316
- https://www.npmjs.com/advisories/1324
- https://www.npmjs.com/package/handlebars
- https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
- https://github.com/advisories/GHSA-3cqr-58rm-57f8
Blast Radius: 49.4
Affected Packages
npm:handlebars
Dependent packages: 15,556Dependent repositories: 1,258,975
Downloads: 65,805,502 last month
Affected Version Ranges: >= 4.0.0, < 4.5.3, < 3.0.8
Fixed in: 4.5.3, 3.0.8
All affected versions: 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 2.0.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.5.0, 4.5.1, 4.5.2
All unaffected versions: 3.0.8, 4.5.3, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.7.8