CVE-2019-20920
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-20920
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-20920.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-20920
- Aliases
-
- GHSA-3cqr-58rm-57f8
- SNYK-JS-HANDLEBARS-534478
- Related
- Published
- 2020-09-30T18:15:17Z
- Modified
- 2024-09-18T03:04:36.344098Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L CVSS Calculator
- Summary
- [none]
- Details
-
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
- References
Affected packages
Debian:11 / node-handlebars
Package
- Name
- node-handlebars
- Purl
- pkg:deb/debian/node-handlebars?arch=source
Debian:12 / node-handlebars
Package
- Name
- node-handlebars
- Purl
- pkg:deb/debian/node-handlebars?arch=source
Debian:13 / node-handlebars
Package
- Name
- node-handlebars
- Purl
- pkg:deb/debian/node-handlebars?arch=source
Git / github.com/handlebars-lang/handlebars.js
Affected ranges
- Type
- GIT
- Repo
- https://github.com/handlebars-lang/handlebars.js
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.9.0.pre.4
1.*
1.0.0
1.0.0-rc.3
1.0.0-rc.4
1.0.0.beta.1
1.0.rc.1
1.0.rc.2
v1.*
v1.0.10
v1.0.11
v1.0.12
v1.0.5beta
v1.0.6
v1.0.6-2
v1.0.6beta
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.1.2
v1.2.0
v1.2.1
v1.3.0
v2.*
v2.0.0
v2.0.0-alpha.1
v2.0.0-alpha.2
v2.0.0-alpha.3
v2.0.0-alpha.4
v2.0.0-beta.1
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7