HIGH🇬🇧 English

CVE-2019-20920

CVSS 8.1v3.1pub. 2020-09-30upd. 2024-11-21

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
  • Handlebarsjs Handlebars

    APP
    Handlebarsjs
    < 3.0.84.0.0 – 4.5.3 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCEXSS
CWE
Referencje

Powiązane podatności

CVE-2026-33937CRITICAL9.8PL ✓ten sam produkt

RCE w Handlebars.js przez wstrzyknięcie kodu przez AST (compile)

CVE-2026-33941HIGH8.2ten sam produkt

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8...

CVE-2026-33938HIGH8.1ten sam produkt

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8...

CVE-2026-33939HIGH7.5ten sam produkt

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8...

CVE-2026-33940HIGH8.1ten sam produkt

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8...