PT-2019-4634 · Handlebars · Handlebars

Publicado

2019-12-20

Atualizado

2022-06-03

CVE-2019-19919

CVSS v2.0

Crítica

Vetor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions handlebars versions prior to 4.3.0 handlebars versions prior to 3.0.8

Description The issue allows an attacker to execute arbitrary code through crafted payloads by altering an Object's proto and defineGetter properties. This is due to the lack of measures to neutralize special elements in the Handlebars templating engine. Templates may modify these properties, potentially leading to Remote Code Execution.

Recommendations For handlebars versions prior to 3.0.8, upgrade to version 3.0.8 or later. For handlebars versions prior to 4.3.0, upgrade to version 4.3.0 or later.

Exploit

Correção

RCE

Special Elements Injection

Prototype Pollution

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-74CWE-1321

Identificadores relacionados

BDU:2020-00795

CVE-2019-19919

GHSA-W457-6Q6X-CGP9

Produtos afetados

Handlebars

PT-2019-4634 · Handlebars · Handlebars

CVE-2019-19919

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 23