CVSS: 9.8EPSS: 2%CPEs: 44EXPL: 1CVE-2019-19919 – nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads
https://notcve.org/view.php?id=CVE-2019-19919
20 Dec 2019 — Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads. Las versiones anteriores a 4.3.0 de handlebars, son vulnerables a la Contaminación de Prototipos conllevando a una ejecución de código remota. Las plantillas pueden alterar las propiedades __proto__ y __defineGetter__ de un Objeto, lo que puede pe... • https://github.com/fazilbaig1/CVE-2019-19919 • CWE-471: Modification of Assumed-Immutable Data (MAID) CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-8861
https://notcve.org/view.php?id=CVE-2015-8861
23 Jan 2017 — The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted. El paquete handlebars en versiones anteriores a 4.0.0 para Node.js permite a atacantes remotos levar a cabo ataque de secuencias de comandos en sitios cruzados (XSS) aprovechando una plantilla con un atributo que no se cita. • http://www.openwall.com/lists/oss-security/2016/04/20/11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •