Lucene search
Matias P. BruttiNODEJS:61HistoryDec 14, 2015 - 4:51 p.m.
Cross-Site Scripting
2015-12-1416:51:56
Matias P. Brutti
www.npmjs.com
141
0.001 Low
EPSS
Percentile
49.0%
Overview
Versions of handlebars prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted.
Proof of Concept
Template:
<a href />
Input:
{ 'foo' : 'test.com onload=alert(1)'}
Rendered result:
<a href />
Recommendation
Update to version 4.0.0 or later.
Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.
References
| CPE | Name | Operator | Version |
|---|---|---|---|
| handlebars | lt | 4.0.0 |
Related
ubuntucve
ubuntucve
CVE-2015-8861
2017-01-23 00:00:00
cvelist
cvelist
CVE-2015-8861
2017-01-23 21:00:00
prion
prion
Cross site scripting
2017-01-23 21:59:00
debiancve
debiancve
CVE-2015-8861
2017-01-23 21:59:00
github
github
Cross-Site Scripting in handlebars
2018-10-23 17:20:12
osv
osv
Cross-Site Scripting in handlebars
2018-10-23 17:20:12
nvd
nvd
CVE-2015-8861
2017-01-23 21:59:00
cve
cve
CVE-2015-8861
2017-01-23 21:59:00
ibm
ibm
nessus
nessus
Tenable Log Correlation Engine (LCE) < 4.8.1 Multiple Vulnerabilities
2017-03-22 00:00:00