NodeJS/handlebars/3.0.8

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Repo Link: https://www.npmjs.com/package/handlebars
License: MIT

7 Security Vulnerabilities

Remote code execution in Handlebars.js

Published date: 2019-07-15T19:46:01Z

Links:

Handlebars.js before 4.1.0 has Remote Code Execution (RCE)

Secure versions: [4.7.7, 4.7.8]

Recommendation: Update to version 4.7.8.

Prototype Pollution in handlebars

Published date: 2022-02-10T23:51:42Z

CVE: CVE-2021-23383

Links:

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Affected versions: ["1.0.6", "1.0.6-2", "1.0.7", "1.0.8", "1.0.9", "1.0.10", "1.0.11", "1.0.12", "1.1.0", "1.1.1", "1.1.2", "1.2.0", "1.2.1", "1.3.0", "2.0.0-alpha.1", "2.0.0-alpha.2", "2.0.0-alpha.3", "2.0.0-alpha.4", "2.0.0-beta.1", "2.0.0", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.0.8", "4.0.9", "4.0.10", "4.0.11", "1.0.2-beta", "1.0.4-beta", "1.0.5-beta", "4.0.12", "3.0.4", "3.0.5", "3.0.6", "4.1.0", "4.0.13", "4.1.1", "4.1.2", "4.0.14", "3.0.7", "4.1.2-0", "4.2.0", "4.2.1", "4.3.0", "4.3.1", "4.3.2", "4.3.3", "4.3.4", "4.4.0", "4.4.1", "4.3.5", "4.2.2", "4.4.2", "4.4.3", "4.4.4", "4.4.5", "4.5.0", "4.5.1", "4.5.2", "4.5.3", "4.6.0", "4.7.0", "4.7.1", "4.7.2", "4.7.3", "3.0.8", "4.7.4", "4.7.5", "4.7.6"]

Secure versions: [4.7.7, 4.7.8]

Recommendation: Update to version 4.7.8.

Cross-Site Scripting in handlebars

Published date: 2018-10-23T17:20:12Z

CVE: CVE-2015-8861

Links:

Versions of handlebars prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted.

Proof of Concept

Template: <a href={{foo}}/>

Input: { 'foo' : 'test.com onload=alert(1)'}

Rendered result: <a href=test.com onload=alert(1)/>

Recommendation

Update to version 4.0.0 or later. Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.

Secure versions: [4.7.7, 4.7.8]

Recommendation: Update to version 4.7.8.

Remote code execution in handlebars when compiling templates

Published date: 2021-05-06T15:57:44Z

CVE: CVE-2021-23369

Links:

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Secure versions: [4.7.7, 4.7.8]

Recommendation: Update to version 4.7.8.

Moderate severity vulnerability that affects handlebars

Published date: 2017-10-24T18:33:36Z

CVE: CVE-2015-8861

Links:

Withdrawn: Duplicate of GHSA-9prh-257w-9277

Secure versions: [4.7.7, 4.7.8]

Recommendation: Update to version 4.7.8.

Denial of Service

Published date: 2020-04-27

CVSS Score: 6.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Links:

https://hackerone.com/reports/726364

Crash Node.js process from handlebars using a small and simple source

Secure versions: [4.7.7, 4.7.8]

Recommendation: Update handlebars module to version >=4.6.0

Quoteless Attributes in Templates can lead to Content Injection

Published date: 2015-12-14

CVEs: ["CVE-2015-8861"]

CVSS Score: 5.3

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Coordinating vendor: ^Lift Security

Links:

Not using quotes around your attributes in handlebar templates, could lead to content injection.

Example

Template: <a href={{foo}}/>

Input: { 'foo' : 'test.com onload=alert(1)'}

Rendered result: <a href=test.com onload=alert(1)/>

Secure versions: [4.7.7, 4.7.8]

Recommendation: If you are unable to upgrade to version 4.0.0 or greater you can add quotes to your attributes in your handlebar templates.

80 Other Versions

Version	License	Security	Released
4.7.8	MIT		2023-08-01 - 21:19	9 months
4.7.7	MIT		2021-02-15 - 09:39	about 3 years
4.7.6	MIT	2	2020-04-03 - 17:59	about 4 years
4.7.5	MIT	2	2020-04-02 - 19:10	about 4 years
4.7.4	MIT	2	2020-04-01 - 17:21	about 4 years
4.7.3	MIT	2	2020-02-05 - 05:11	about 4 years
4.7.2	MIT	2	2020-01-13 - 20:53	over 4 years
4.7.1	MIT	2	2020-01-12 - 12:21	over 4 years
4.7.0	MIT	2	2020-01-10 - 16:24	over 4 years
4.6.0	MIT	2	2020-01-08 - 22:45	over 4 years
4.5.3	MIT	3	2019-11-18 - 07:11	over 4 years
4.5.2	MIT	6	2019-11-13 - 21:08	over 4 years
4.5.1	MIT	7	2019-10-29 - 04:42	over 4 years
4.5.0	MIT	7	2019-10-28 - 18:48	over 4 years
4.4.5	MIT	7	2019-10-20 - 21:08	over 4 years
4.4.4	MIT	9	2019-10-20 - 19:35	over 4 years
4.4.3	MIT	9	2019-10-08 - 20:06	over 4 years
4.4.2	MIT	9	2019-10-02 - 20:47	over 4 years
4.4.1	MIT	9	2019-10-02 - 19:53	over 4 years
4.4.0	MIT	9	2019-09-29 - 13:30	over 4 years
4.3.5	MIT	9	2019-10-02 - 20:06	over 4 years
4.3.4	MIT	9	2019-09-28 - 11:37	over 4 years
4.3.3	MIT	9	2019-09-27 - 05:47	over 4 years
4.3.2	MIT	9	2019-09-26 - 21:59	over 4 years
4.3.1	MIT	9	2019-09-24 - 22:35	over 4 years
4.3.0	MIT	9	2019-09-24 - 06:11	over 4 years
4.2.2	MIT	10	2019-10-02 - 20:13	over 4 years
4.2.1	MIT	10	2019-09-20 - 17:41	over 4 years
4.2.0	MIT	10	2019-09-03 - 19:58	over 4 years
4.1.2	MIT	10	2019-04-13 - 14:20	about 5 years
4.1.2-0	MIT	11	2019-08-25 - 16:07	over 4 years
4.1.1	MIT	11	2019-03-16 - 21:29	about 5 years
4.1.0	MIT	11	2019-02-07 - 09:48	about 5 years
4.0.14	MIT	11	2019-04-13 - 14:39	about 5 years
4.0.13	MIT	12	2019-02-07 - 10:28	about 5 years
4.0.12	MIT	12	2018-09-04 - 18:46	over 5 years
4.0.11	MIT	12	2017-10-17 - 20:53	over 6 years
4.0.10	MIT	12	2017-05-21 - 12:11	almost 7 years
4.0.9	MIT	12	2017-05-21 - 11:40	almost 7 years
4.0.8	MIT	12	2017-05-02 - 20:56	almost 7 years
4.0.7	MIT	12	2017-04-29 - 20:54	almost 7 years
4.0.6	MIT	12	2016-11-13 - 01:27	over 7 years
4.0.5	MIT	12	2015-11-20 - 05:07	over 8 years
4.0.4	MIT	12	2015-10-29 - 06:57	over 8 years
4.0.3	MIT	12	2015-09-24 - 03:41	over 8 years
4.0.2	MIT	12	2015-09-04 - 14:13	over 8 years
4.0.1	MIT	12	2015-09-03 - 02:21	over 8 years
4.0.0	MIT	12	2015-09-01 - 13:19	over 8 years
3.0.8	MIT	7	2020-02-23 - 10:02	about 4 years
3.0.7	MIT	12	2019-06-30 - 08:54	almost 5 years
3.0.6	MIT	13	2019-01-02 - 09:19	over 5 years
3.0.5	MIT	13	2018-12-15 - 13:16	over 5 years
3.0.4	MIT	13	2018-12-15 - 12:55	over 5 years
3.0.3	MIT	13	2015-04-28 - 19:52	almost 9 years
3.0.2	MIT	13	2015-04-20 - 08:11	about 9 years
3.0.1	MIT	13	2015-03-24 - 19:22	about 9 years
3.0.0	MIT	13	2015-02-10 - 06:19	about 9 years
2.0.0	MIT	13	2014-09-02 - 02:28	over 9 years
2.0.0-beta.1	MIT	13	2014-08-26 - 23:56	over 9 years
2.0.0-alpha.4	MIT	13	2014-05-20 - 04:15	almost 10 years
2.0.0-alpha.3	MIT	13	2014-05-20 - 03:29	almost 10 years
2.0.0-alpha.2	MIT	13	2014-03-06 - 07:29	about 10 years
2.0.0-alpha.1	MIT	13	2014-02-10 - 08:13	about 10 years
1.3.0	MIT	13	2014-01-02 - 04:10	over 10 years
1.2.1	MIT	13	2013-12-26 - 22:29	over 10 years
1.2.0	MIT	13	2013-12-24 - 03:40	over 10 years
1.1.2	BSD	13	2013-11-06 - 00:10	over 10 years
1.1.1	BSD	13	2013-11-04 - 16:51	over 10 years
1.1.0	BSD	13	2013-11-04 - 03:26	over 10 years
1.0.12	MIT	13	2013-05-31 - 18:17	almost 11 years
1.0.11	MIT	13	2013-05-14 - 04:09	almost 11 years
1.0.10	MIT	13	2013-02-27 - 13:52	about 11 years
1.0.9	MIT	13	2013-02-16 - 01:42	about 11 years
1.0.8	MIT	13	2013-01-19 - 08:16	over 11 years
1.0.7	MIT	13	2012-09-18 - 00:27	over 11 years
1.0.6	MIT	13	2012-07-23 - 20:40	almost 12 years
1.0.6-2	MIT	13	2012-07-31 - 16:51	over 11 years
1.0.5-beta	MIT	13	2012-02-09 - 17:06	about 12 years
1.0.4-beta	MIT	13	2012-01-17 - 20:31	over 12 years
1.0.2-beta	MIT	13	2011-08-22 - 07:43	over 12 years