CVE-2019-19919 – nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads

https://notcve.org/view.php?id=CVE-2019-19919

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads. Las versiones anteriores a 4.3.0 de handlebars, son vulnerables a la Contaminación de Prototipos conllevando a una ejecución de código remota. Las plantillas pueden alterar las propiedades __proto__ y __defineGetter__ de un Objeto, lo que puede permitir a un atacante ejecutar código arbitrario por medio de cargas útiles diseñadas. A flaw was found in nodejs-handlebars, where it is vulnerable to Prototype Pollution leading to Remote Code Execution. • https://www.npmjs.com/advisories/1164 https://www.tenable.com/security/tns-2021-14 https://access.redhat.com/security/cve/CVE-2019-19919 https://bugzilla.redhat.com/show_bug.cgi?id=1789959 • CWE-471: Modification of Assumed-Immutable Data (MAID) CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •