Description

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Remediation

References

https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478

https://www.npmjs.com/advisories/1316

https://www.npmjs.com/advisories/1324

Related Vulnerabilities

CVE-2019-10768 Vulnerability in npm package angular

CVE-2018-25031 Vulnerability in npm package swagger-ui-dist

CVE-2015-8860 Vulnerability in maven package org.webjars:tar

CVE-2023-3432 Vulnerability in maven package net.sourceforge.plantuml:plantuml

CVE-2019-10375 Vulnerability in maven package hudson.plugins.filesystem_scm:filesystem_scm

Severity

Critical

Classification

CWE-94 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L

Tags

Third Party Advisory Exploit