CVSS: 9.8EPSS: 3%CPEs: 2EXPL: 5CVE-2021-23383 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2021-23383
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source. El package handlebars versiones anteriores a 4.7.7, son vulnerables a una Contaminación de Prototipos al seleccionar determinadas opciones de compilación para agrupar plantillas que provienen de una fuente no confiable A flaw was found in nodejs-handlebars. A unescaped value in the JavaScriptCompiler.prototype.depthedLookup function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the compat:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://github.com/dn9uy3n/Check-CVE-2021-23383 https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427 https://security.netapp.com/advisory/ntap-20210618-0007 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030 https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029 https://access.redhat.com/security/cve/CVE-2021-23383 https://bugzilla.redhat.com/show_bug.cgi& • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 9.8EPSS: 13%CPEs: 1EXPL: 4CVE-2021-23369 – Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2021-23369
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. El paquete handlebars versiones anteriores a 4.7.7, son vulnerables a una Ejecución de Código Remota (RCE) al seleccionar determinadas opciones de compilación para compilar plantillas que provienen de una fuente no confiable A flaw was found in nodejs-handlebars. A missing check when getting prototype properties in the template function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the strict:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8 https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427 https://security.netapp.com/advisory/ntap-20210604-0008 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952 https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767 https://access.redhat.com/security/cve/CVE-2021-23369 https:// • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2019-20920 – nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
https://notcve.org/view.php?id=CVE-2019-20920
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS). Handlebars versiones anteriores a 3.0.8 y versiones 4.x anteriores a 4.5.3, son vulnerables a una ejecución de código arbitraria. El asistente de búsqueda no comprueba apropiadamente las plantillas, permitiendo a atacantes enviar plantillas que ejecutan JavaScript arbitrario. • https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478 https://www.npmjs.com/advisories/1316 https://www.npmjs.com/advisories/1324 https://access.redhat.com/security/cve/CVE-2019-20920 https://bugzilla.redhat.com/show_bug.cgi?id=1882260 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-20922 – nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
https://notcve.org/view.php?id=CVE-2019-20922
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources. Handlebars versiones anteriores a 4.4.5, permiten una Denegación de Servicio de Expresión Regular (ReDoS) debido a una búsqueda de coincidencias. El analizador puede verse forzado en un bucle infinito mientras se procesan unas plantillas diseñadas. • https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388 https://www.npmjs.com/advisories/1300 https://access.redhat.com/security/cve/CVE-2019-20922 https://bugzilla.redhat.com/show_bug.cgi?id=1882256 • CWE-400: Uncontrolled Resource Consumption •