CVSS: 9.8EPSS: 1%CPEs: 44EXPL: 0CVE-2019-19919 – nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads
https://notcve.org/view.php?id=CVE-2019-19919
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads. Las versiones anteriores a 4.3.0 de handlebars, son vulnerables a la Contaminación de Prototipos conllevando a una ejecución de código remota. Las plantillas pueden alterar las propiedades __proto__ y __defineGetter__ de un Objeto, lo que puede permitir a un atacante ejecutar código arbitrario por medio de cargas útiles diseñadas. A flaw was found in nodejs-handlebars, where it is vulnerable to Prototype Pollution leading to Remote Code Execution. • https://www.npmjs.com/advisories/1164 https://www.tenable.com/security/tns-2021-14 https://access.redhat.com/security/cve/CVE-2019-19919 https://bugzilla.redhat.com/show_bug.cgi?id=1789959 • CWE-471: Modification of Assumed-Immutable Data (MAID) CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-8861
https://notcve.org/view.php?id=CVE-2015-8861
The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted. El paquete handlebars en versiones anteriores a 4.0.0 para Node.js permite a atacantes remotos levar a cabo ataque de secuencias de comandos en sitios cruzados (XSS) aprovechando una plantilla con un atributo que no se cita. • http://www.openwall.com/lists/oss-security/2016/04/20/11 http://www.securityfocus.com/bid/96434 https://www.sourceclear.com/blog/handlebars_vulnerability_research_findings https://www.tenable.com/security/tns-2016-18 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •