Fluid Attacks Database

Description

Cross-Site Scripting in handlebars Versions of handlebars prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted.

Proof of Concept

Template: <a href={{foo}}/>

Input: { 'foo' : 'test.com onload=alert(1)'}

Rendered result: <a href=test.com onload=alert(1)/>

Recommendation

Update to version 4.0.0 or later. Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	mustache.js	=2.3.2-2 \|\| =2.3.2-3 \|\| =3.0.1-1 \|\| =3.0.1-2 \|\| =3.2.0-1 \|\| =3.2.0-2	-
debian 12	mustache.js	=3.0.1-1 \|\| =3.0.1-2 \|\| =3.2.0-1 \|\| =3.2.0-2	-
debian 13	mustache.js	=3.0.1-1 \|\| =3.0.1-2 \|\| =3.2.0-1 \|\| =3.2.0-2	-
npm	handlebars	>=0 <4.0.0	4.0.0
debian 14	mustache.js	=3.0.1-1 \|\| =3.0.1-2 \|\| =3.2.0-1 \|\| =3.2.0-2	-

Aliases

1. CVE-2015-88612. NVD-2015-88613. OSV-DEBIAN-2015-88614. OSV-2015-88615. GHSA-9prh-257w-92776. GCVE-2015-88617. SECURITY-TRACKER-CVE-2015-8861

References

1. https://github.com/wycats/handlebars.js/pull/10832. https://blog.srcclr.com/handlebars_vulnerability_research_findings3. https://www.npmjs.com/advisories/614. https://www.sourceclear.com/blog/handlebars_vulnerability_research_findings5. http://www.openwall.com/lists/oss-security/2016/04/20/116. http://www.securityfocus.com/bid/96434