Cross-Site Scripting Vulnerability in Handlebars for Node.js
CVE-2015-8861

6.1MEDIUM

Key Information:

Vendor

Handlebars.js Project

Status
Handlebars.js
Vendor
CVE Published:
23 January 2017

What is CVE-2015-8861?

The Handlebars templating engine for Node.js, prior to version 4.0.0, is susceptible to cross-site scripting (XSS) vulnerabilities. In particular, the issue arises when templates utilize attributes that are not properly quoted. This flaw enables remote attackers to inject malicious scripts, potentially compromising the security of web applications using Handlebars for rendering dynamic content. It is crucial for developers to upgrade to the latest version and implement adequate security measures to mitigate such risks.

References

https://www.tenable.com/security/tns-2016-18
x_refsource_CONFIRM
https://www.sourceclear.com/blog/handlebars_vulnerability...
x_refsource_MISC
http://www.securityfocus.com/bid/96434
vdb-entryx_refsource_BID

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.