oss-sec mailing list archives
CVE request: handlebars node.js module <4.0.0 - "Quoteless attributes in templates can lead to XSS"
From: Reed Loden <reed () reedloden com>
Date: Fri, 11 Dec 2015 08:26:29 -0800
As seen on SRC:CLR -- https://blog.srcclr.com/handlebars_vulnerability_research_findings/ Blog post has all the details, but basically the handlebars node module is missing some characters in its escaping mechanisms, allowing for possible XSS. Handlebars "provides the power necessary to let you build semantic templates effectively with no frustration". Node.js module: handlebars (https://www.npmjs.com/package/handlebars) Affects: 3.0.3 and earlier Fixed in: 4.0.0 Reported via https://github.com/wycats/handlebars.js/pull/1083 Fixed by https://github.com/wycats/handlebars.js/commit/83b8e846a3569bd366cf0b6bdc1e4604d1a2077e (note that the SRC:CLR blog post mentions an incorrect commit id for the actual fix) Can a CVE be assigned? Note that this also affects many other Node.js and rubygems as well, as the code was copy/pasted a lot. See also https://github.com/janl/mustache.js/commit/378bcca8a5cfe4058f294a3dbb78e8755e8e0da5 . Thanks, ~reed
Current thread:
- CVE request: handlebars node.js module <4.0.0 - "Quoteless attributes in templates can lead to XSS" Reed Loden (Dec 11)