GHSA-3cqr-58rm-57f8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3cqr-58rm-57f8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-3cqr-58rm-57f8/GHSA-3cqr-58rm-57f8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3cqr-58rm-57f8
- Aliases
-
- CVE-2019-20920
- SNYK-JS-HANDLEBARS-534478
- Related
- Published
- 2022-02-10T20:38:19Z
- Modified
- 2024-08-01T09:11:47.615922Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L CVSS Calculator
- Summary
- Arbitrary Code Execution in Handlebars
- Details
-
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-20920
- https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
- https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
- https://www.npmjs.com/advisories/1316
- https://www.npmjs.com/advisories/1324
- https://www.npmjs.com/package/handlebars
Affected packages
npm / handlebars
Package
- Name
- handlebars
- View open source insights on deps.dev
- Purl
- pkg:npm/handlebars
npm / handlebars
Package
- Name
- handlebars
- View open source insights on deps.dev
- Purl
- pkg:npm/handlebars