Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlwcmgtMjU3dy05Mjc3
Cross-Site Scripting in handlebars
Versions of handlebars
prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted.
Proof of Concept
Template:
<a href={{foo}}/>
Input:
{ 'foo' : 'test.com onload=alert(1)'}
Rendered result:
<a href=test.com onload=alert(1)/>
Recommendation
Update to version 4.0.0 or later.
Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlwcmgtMjU3dy05Mjc3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 6 years ago
Updated: almost 2 years ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Percentage: 0.00153
EPSS Percentile: 0.52029
Identifiers: GHSA-9prh-257w-9277, CVE-2015-8861
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-8861
- https://github.com/wycats/handlebars.js/pull/1083
- https://blog.srcclr.com/handlebars_vulnerability_research_findings/
- https://github.com/advisories/GHSA-9prh-257w-9277
- https://www.npmjs.com/advisories/61
- https://www.sourceclear.com/blog/handlebars_vulnerability_research_findings/
- https://www.tenable.com/security/tns-2016-18
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- http://www.securityfocus.com/bid/96434
Blast Radius: 37.2
Affected Packages
npm:handlebars
Dependent packages: 15,556Dependent repositories: 1,258,975
Downloads: 70,806,268 last month
Affected Version Ranges: < 4.0.0
Fixed in: 4.0.0
All affected versions: 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 2.0.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8
All unaffected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.7.8