Francois Lajeunesse-Robert

**Name of the Vulnerable Software and Affected Versions** handlebars versions prior to 4.7.7 **Description** The issue allows for Remote Code Execution (RCE) when certain compiling options are selected to compile templates from an untrusted source. **Recommendations** For versions prior to 4.7.7, update to version 4.7.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Handlebars versions prior to 4.7.7 **Description** The issue is related to errors in code generation management in the Handlebars template creation tool. It can be exploited by a remote attacker to gain access to confidential data, compromise data integrity, and cause a denial of service. The vulnerability is specifically related to Prototype Pollution when certain compiling options are selected to compile templates from an untrusted source. **Recommendations** For versions prior to 4.7.7, update to version 4.7.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of untrusted templates and certain compiling options to minimize the risk of exploitation. Avoid using the Handlebars package with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Handlebars versions prior to 3.0.8 Handlebars versions 4.x prior to 4.5.3 **Description** The issue allows attackers to execute arbitrary JavaScript code by submitting templates that are not properly validated by the lookup helper. This can lead to arbitrary code execution on a server that processes Handlebars templates or in a victim's browser, effectively serving as a cross-site scripting (XSS) attack. **Recommendations** For Handlebars versions prior to 3.0.8, update to version 3.0.8 or later. For Handlebars versions 4.x prior to 4.5.3, update to version 4.5.3 or later.