PT-2020-10875 · Handlebars · Handlebars

Francois Lajeunesse-Robert

Published

2020-09-30

Updated

2022-02-10

CVE-2019-20920

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L

Name of the Vulnerable Software and Affected Versions Handlebars versions prior to 3.0.8 Handlebars versions 4.x prior to 4.5.3

Description The issue allows attackers to execute arbitrary JavaScript code by submitting templates that are not properly validated by the lookup helper. This can lead to arbitrary code execution on a server that processes Handlebars templates or in a victim's browser, effectively serving as a cross-site scripting (XSS) attack.

Recommendations For Handlebars versions prior to 3.0.8, update to version 3.0.8 or later. For Handlebars versions 4.x prior to 4.5.3, update to version 4.5.3 or later.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2019-20920

GHSA-3CQR-58RM-57F8

RHSA-2020:5179

SNYK-JS-HANDLEBARS-534478

Affected Products

Handlebars

PT-2020-10875 · Handlebars · Handlebars

CVE-2019-20920

Weakness Enumeration

Related Identifiers

Affected Products

References · 14