Versions of handlebars
prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects’ __proto__
and __defineGetter__
properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Upgrade to version 3.0.8, 4.3.0 or later.
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919
github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db
github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js
github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5
github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml
github.com/wycats/handlebars.js
github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc
github.com/wycats/handlebars.js/issues/1558
nvd.nist.gov/vuln/detail/CVE-2019-19919
www.tenable.com/security/tns-2021-14