Description

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Remediation

References

CVE-2019-20920

Related Vulnerabilities

Python Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2016-4472)

PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2018-7584)

MySQL CVE-2023-21950 Vulnerability (CVE-2023-21950)

Serendipity Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3800)

IBM RTC Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2016-2986)

Severity

High

Classification

CVE-2019-20920 CWE-94 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities