VulnerableCode Package Details - pkg:rpm/redhat/org.optaweb.employeerostering-optaweb-employee@rostering-8.13.0?arch=Final_redhat

Search for packages

Vulnerability	Summary	Fixed by
VCID-6763-eu92-aaab Aliases: CVE-2019-20920 GHSA-3cqr-58rm-57f8	Improper Control of Generation of Code ('Code Injection') Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).	There are no reported fixed by versions.
VCID-b883-ecmk-aaas Aliases: CVE-2019-20922 GHSA-62gr-4qp9-h98f	Uncontrolled Resource Consumption Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.	There are no reported fixed by versions.
VCID-hteh-c566-aaae Aliases: CVE-2021-23383 GHSA-765h-qjxv-5f44	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.	There are no reported fixed by versions.
VCID-mb2f-kmzq-aaad Aliases: CVE-2021-23369 GHSA-f2jv-r9rf-7988	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.	There are no reported fixed by versions.
VCID-mvtf-uss1-aaab Aliases: CVE-2018-1000134 GHSA-qwq9-8rpf-8mp7	UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn't check for empty password when running in synchronous mode. commit with applied fix https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6#diff-f6cb23b459be1ec17df1da33760087fd that can result in Ability to impersonate any valid user. This attack appear to be exploitable via Providing valid username and empty password against servers that do not do additional validation as per https://tools.ietf.org/html/rfc4513#section-5.1.1. This vulnerability appears to have been fixed in after commit 8471904a02438c03965d21367890276bc25fa5a6.	There are no reported fixed by versions.
VCID-whdv-8afv-aaah Aliases: CVE-2019-19919 GHSA-w457-6q6x-cgp9	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.	There are no reported fixed by versions.
VCID-y2ff-qfxj-aaar Aliases: CVE-2017-12629 GHSA-mh7g-99w9-xpjm	Remote code execution occurs in Apache Solr	There are no reported fixed by versions.
VCID-z8en-rjh3-aaag Aliases: CVE-2021-26291 GHSA-2f88-5hg8-9x2x	Origin Validation Error in Apache Maven	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-6763-eu92-aaab
Aliases:
CVE-2019-20920
GHSA-3cqr-58rm-57f8

Improper Control of Generation of Code ('Code Injection') Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).