CVE-2019-20920
Last modified
CVE-2019-20920 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. EPSS estimates a 3.19% chance of exploitation in the next 30 days.
Description
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Handlebarsjs | Handlebars | < 3.0.8 |
| Handlebarsjs | Handlebars | >= 4.0.0, < 4.5.3 |
References
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478Third Party Advisory
- https://www.npmjs.com/advisories/1316Exploit, Third Party Advisory
- https://www.npmjs.com/advisories/1324Third Party Advisory
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478Third Party Advisory
- https://www.npmjs.com/advisories/1316Exploit, Third Party Advisory
- https://www.npmjs.com/advisories/1324Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-20920?
How severe is CVE-2019-20920?
How do I fix CVE-2019-20920?
Are you affected by CVE-2019-20920?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST