CVE-2015-8861

Name of the Vulnerable Software and Affected Versions handlebars versions prior to 4.0.0

Description The issue allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted. This occurs when attributes in handlebar templates are not properly encapsulated, leading to potential execution of malicious scripts. For example, a template like <a href={{foo}}/> can be exploited with an input like { 'foo' : 'test.com onload=alert(1)'}, resulting in a rendered output of <a href=test.com onload=alert(1)/> that can execute the onload script.

Recommendations Update to version 4.0.0 or later. Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.