VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-6763-eu92-aaab

Essentials
Severities (113)
References (18)
Severity details (19)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-6763-eu92-aaab
Aliases	CVE-2019-20920 GHSA-3cqr-58rm-57f8
Summary	Improper Control of Generation of Code ('Code Injection') Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-94	Improper Control of Generation of Code ('Code Injection')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-20	Improper Input Validation

System	Score	Found at
generic_textual	Medium	http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20920.html
rhas	Low	https://access.redhat.com/errata/RHSA-2020:5179
rhas	Moderate	https://access.redhat.com/errata/RHSA-2021:2500
rhas	Important	https://access.redhat.com/errata/RHSA-2021:3917
cvssv3	8.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20920.json
epss	0.005	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.005	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.005	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.005	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.005	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.005	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00699	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00699	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00699	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00699	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00699	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00699	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00699	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00699	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00699	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00699	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00699	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.00699	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.01186	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.01186	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.01186	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.01186	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
epss	0.01427	https://api.first.org/data/v1/epss?cve=CVE-2019-20920
rhbs	medium	https://bugzilla.redhat.com/show_bug.cgi?id=1882260
generic_textual	Medium	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20920
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-3cqr-58rm-57f8
cvssv3.1	8.1	https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
generic_textual	HIGH	https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
cvssv3.1	8.1	https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e
generic_textual	HIGH	https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e
cvssv2	6.8	https://nvd.nist.gov/vuln/detail/CVE-2019-20920
cvssv3	8.1	https://nvd.nist.gov/vuln/detail/CVE-2019-20920
cvssv3.1	8.1	https://nvd.nist.gov/vuln/detail/CVE-2019-20920
cvssv3.1	8.1	https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
generic_textual	HIGH	https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
cvssv3.1	8.1	https://www.npmjs.com/advisories/1316
generic_textual	HIGH	https://www.npmjs.com/advisories/1316
cvssv3.1	8.1	https://www.npmjs.com/advisories/1324
generic_textual	HIGH	https://www.npmjs.com/advisories/1324
cvssv3.1	9.8	https://www.npmjs.com/package/handlebars
generic_textual	CRITICAL	https://www.npmjs.com/package/handlebars

Reference id	Reference type	URL
		http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20920.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20920.json
		https://api.first.org/data/v1/epss?cve=CVE-2019-20920
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20920
		https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
		https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e
		https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
		https://www.npmjs.com/advisories/1316
		https://www.npmjs.com/advisories/1324
		https://www.npmjs.com/package/handlebars
1882260		https://bugzilla.redhat.com/show_bug.cgi?id=1882260
cpe:2.3:a:handlebarsjs:handlebars::::::node.js::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:handlebarsjs:handlebars::::::node.js::*
CVE-2019-20920		https://nvd.nist.gov/vuln/detail/CVE-2019-20920
GHSA-3cqr-58rm-57f8		https://github.com/advisories/GHSA-3cqr-58rm-57f8
RHSA-2020:5179		https://access.redhat.com/errata/RHSA-2020:5179
RHSA-2021:2500		https://access.redhat.com/errata/RHSA-2021:2500
RHSA-2021:3917		https://access.redhat.com/errata/RHSA-2021:3917
RHSA-2023:1334		https://access.redhat.com/errata/RHSA-2023:1334

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20920.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L Found at https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L Found at https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2019-20920

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2019-20920

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2019-20920

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L Found at https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L Found at https://www.npmjs.com/advisories/1316

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L Found at https://www.npmjs.com/advisories/1324

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.npmjs.com/package/handlebars

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.63159
EPSS Score	0.005
Published At	March 28, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.