Arbitrary Code Execution Vulnerability in Handlebars by Handlebars
CVE-2019-20920

8.1HIGH

Key Information:

Vendor

Handlebarsjs

Status
Handlebars
Vendor
CVE Published:
30 September 2020

What is CVE-2019-20920?

The Handlebars templating engine prior to versions 3.0.8 and 4.5.3 has a significant vulnerability where inadequate validation of templates in the lookup helper can lead to arbitrary code execution. This issue allows attackers to submit malicious templates, which can execute arbitrary JavaScript either on the server that processes the Handlebars templates or in the user's browser. Consequently, this poses a risk by enabling cross-site scripting (XSS) attacks, exposing user data and application integrity.

References

https://www.npmjs.com/advisories/1316
x_refsource_MISC
https://www.npmjs.com/advisories/1324
x_refsource_MISC
https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.