CVE-2019-20920 – handlebars

Package

Manager: npm
Name: handlebars
Vulnerable Version: >=0 <3.0.8 || >=4.0.0 <4.5.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

EPSS: 0.00343 pctl0.56189

Details

Arbitrary Code Execution in Handlebars Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Metadata

Created: 2022-02-10T20:38:19Z
Modified: 2021-04-22T23:38:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-3cqr-58rm-57f8/GHSA-3cqr-58rm-57f8.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-3cqr-58rm-57f8
Finding: F422
Auto approve: 1