Vulnerability Description
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Handlebarsjs | Handlebars | < 3.0.8 |
Related Weaknesses (CWE)
References
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478Third Party Advisory
- https://www.npmjs.com/advisories/1316ExploitThird Party Advisory
- https://www.npmjs.com/advisories/1324Third Party Advisory
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478Third Party Advisory
- https://www.npmjs.com/advisories/1316ExploitThird Party Advisory
- https://www.npmjs.com/advisories/1324Third Party Advisory
FAQ
What is CVE-2019-20920?
CVE-2019-20920 is a vulnerability with a CVSS score of 8.1 (HIGH). Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbi...
How severe is CVE-2019-20920?
CVE-2019-20920 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-20920?
Check the references section above for vendor advisories and patch information. Affected products include: Handlebarsjs Handlebars.