CVE-2019-20920

high

Description

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

References

https://www.npmjs.com/advisories/1324

https://www.npmjs.com/advisories/1316

https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478

Details

Source: Mitre, NVD

Published: 2020-09-30

Updated: 2020-10-15

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L

Severity: High