oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: handlebars node.js module <4.0.0 - "Quoteless attributes in templates can lead to XSS"

From: Reed Loden <reed () reedloden com>
Date: Fri, 11 Dec 2015 08:26:29 -0800
As seen on SRC:CLR --
https://blog.srcclr.com/handlebars_vulnerability_research_findings/

Blog post has all the details, but basically the handlebars node module is
missing some characters in its escaping mechanisms, allowing for possible
XSS.

Handlebars "provides the power necessary to let you build semantic
templates effectively with no frustration".

Node.js module: handlebars (https://www.npmjs.com/package/handlebars)
Affects: 3.0.3 and earlier
Fixed in: 4.0.0
Reported via https://github.com/wycats/handlebars.js/pull/1083
Fixed by
https://github.com/wycats/handlebars.js/commit/83b8e846a3569bd366cf0b6bdc1e4604d1a2077e
(note that the SRC:CLR blog post mentions an incorrect commit id for the
actual fix)

Can a CVE be assigned?

Note that this also affects many other Node.js and rubygems as well, as the
code was copy/pasted a lot. See also
https://github.com/janl/mustache.js/commit/378bcca8a5cfe4058f294a3dbb78e8755e8e0da5
.

Thanks,
~reed
Previous By Date Next
Previous By Thread Next

Current thread: