Search for packages
| purl | pkg:npm/handlebars@1.1.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3ej8-4wrb-dqed
Aliases: CVE-2021-23383 GHSA-765h-qjxv-5f44 |
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source. |
Affected by 0 other vulnerabilities. |
|
VCID-7c3a-mqkm-3ycc
Aliases: CVE-2019-20920 GHSA-3cqr-58rm-57f8 |
Improper Control of Generation of Code ('Code Injection') Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS). |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-ee9h-dvvt-qyat
Aliases: GMS-2015-33 |
XSS vulnerability due to improper value escaping The library does not properly escape attribute values making XSS exploits possible. |
Affected by 10 other vulnerabilities. |
|
VCID-f1td-t6kf-wfcm
Aliases: GHSA-q42p-pg8m-cqh6 GMS-2019-126 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. |
Affected by 7 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-nhz2-v28w-gye1
Aliases: CVE-2019-19919 GHSA-w457-6q6x-cgp9 |
Prototype Pollution in handlebars The bootstrap-wysihtml5-rails gem includes the vendored JavaScript library 'handlebars.js'. Versions 0.3.3.7-0.3.3.8 include handlebars 3.0.2, and versions 0.3.3.5-0.3.3.6 include handlebars 1.3.0. Versions Affected: 0.3.3.5-0.3.3.8 Not affected: < 0.3.3.5 Fixed Versions: None Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads. |
Affected by 2 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-q9rt-jtx1-hybx
Aliases: GHSA-q2c6-c6pm-g3gh GMS-2020-730 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-r2g9-pje8-ykcb
Aliases: CVE-2015-8861 GHSA-9prh-257w-9277 |
Quoteless Attributes in Templates can lead to Content Injection Not using quotes around your attributes in handlebar templates, could lead to content injection. ### Example Template: ```<a href={{foo}}/>``` Input: ```{ 'foo' : 'test.com onload=alert(1)'}``` Rendered result: ```<a href=test.com onload=alert(1)/>``` |
Affected by 10 other vulnerabilities. |
|
VCID-s9ab-ntdt-vkgd
Aliases: GHSA-g9r4-xpmj-mj65 GMS-2020-729 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-uv5v-22z9-fbfg
Aliases: GHSA-2cf5-4w76-r9qv GMS-2020-727 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. |
Affected by 2 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-xxez-8xav-cfdz
Aliases: CVE-2021-23369 GHSA-f2jv-r9rf-7988 |
Remote code execution in handlebars when compiling templates The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. This vulnerability has been assigned the CVE identifier CVE-2021-23369. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||