Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2019-20920 Vulnerability in npm package handlebars

Description

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Remediation

References

https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478

https://www.npmjs.com/advisories/1316

https://www.npmjs.com/advisories/1324

Related Vulnerabilities

CVE-2023-24998 Vulnerability in maven package commons-fileupload:commons-fileupload

CVE-2016-4993 Vulnerability in maven package io.undertow:undertow-core

CVE-2023-39022 Vulnerability in maven package opensymphony:oscore

CVE-2017-1000208 Vulnerability in maven package io.swagger:swagger-parser

CVE-2020-7020 Vulnerability in maven package org.elasticsearch:elasticsearch

Severity

Critical

Classification

CWE-94 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L

Tags

Third Party Advisory Exploit