CVE-2019-20920
Summary
| CVE | CVE-2019-20920 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-09-30 18:15:00 UTC |
| Updated | 2020-10-15 17:35:00 UTC |
| Description | Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS). |
Risk And Classification
Problem Types: CWE-94
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Handlebarsjs | Handlebars | All | All | All | All |
| Application | Handlebarsjs | Handlebars | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Arbitrary Code Execution in handlebars | Snyk | MISC | snyk.io | Third Party Advisory |
| Overview | MISC | www.npmjs.com | Exploit, Third Party Advisory |
| Overview | MISC | www.npmjs.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.