Search for packages
| purl | pkg:npm/handlebars@1.0.7 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-ee9h-dvvt-qyat
Aliases: GMS-2015-33 |
XSS vulnerability due to improper value escaping The library does not properly escape attribute values making XSS exploits possible. |
Affected by 9 other vulnerabilities. |
|
VCID-f1td-t6kf-wfcm
Aliases: GHSA-q42p-pg8m-cqh6 GMS-2019-126 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-nhz2-v28w-gye1
Aliases: CVE-2019-19919 GHSA-w457-6q6x-cgp9 |
Prototype Pollution in handlebars The bootstrap-wysihtml5-rails gem includes the vendored JavaScript library 'handlebars.js'. Versions 0.3.3.7-0.3.3.8 include handlebars 3.0.2, and versions 0.3.3.5-0.3.3.6 include handlebars 1.3.0. Versions Affected: 0.3.3.5-0.3.3.8 Not affected: < 0.3.3.5 Fixed Versions: None Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads. |
Affected by 1 other vulnerability. Affected by 5 other vulnerabilities. |
|
VCID-q9rt-jtx1-hybx
Aliases: GHSA-q2c6-c6pm-g3gh GMS-2020-730 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-r2g9-pje8-ykcb
Aliases: CVE-2015-8861 GHSA-9prh-257w-9277 |
Quoteless Attributes in Templates can lead to Content Injection Not using quotes around your attributes in handlebar templates, could lead to content injection. ### Example Template: ```<a href={{foo}}/>``` Input: ```{ 'foo' : 'test.com onload=alert(1)'}``` Rendered result: ```<a href=test.com onload=alert(1)/>``` |
Affected by 9 other vulnerabilities. |
|
VCID-s9ab-ntdt-vkgd
Aliases: GHSA-g9r4-xpmj-mj65 GMS-2020-729 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-uv5v-22z9-fbfg
Aliases: GHSA-2cf5-4w76-r9qv GMS-2020-727 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. |
Affected by 1 other vulnerability. Affected by 3 other vulnerabilities. |
|
VCID-xxez-8xav-cfdz
Aliases: CVE-2021-23369 GHSA-f2jv-r9rf-7988 |
Remote code execution in handlebars when compiling templates The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. This vulnerability has been assigned the CVE identifier CVE-2021-23369. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||