Description
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Remediation
References
https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
https://www.npmjs.com/advisories/1316
https://www.npmjs.com/advisories/1324
Related Vulnerabilities
CVE-2019-10768 Vulnerability in npm package angular
CVE-2018-25031 Vulnerability in npm package swagger-ui-dist
CVE-2015-8860 Vulnerability in maven package org.webjars:tar
CVE-2023-3432 Vulnerability in maven package net.sourceforge.plantuml:plantuml
CVE-2019-10375 Vulnerability in maven package hudson.plugins.filesystem_scm:filesystem_scm