CVE-2015-8861
published 2017-01-23CVE-2015-8861: The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an…
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
3.00%
85.7th percentile
The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mustache.js | — | — |
| handlebars.js_project | handlebars.js | < 4.0.0 | 4.0.0 |
| handlebarsjs | handlebars | >= 0 < 4.0.0 | 4.0.0 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cross-Site Scripting in handlebars
ghsa·2018-10-23
CVE-2015-8861 [MEDIUM] CWE-79 Cross-Site Scripting in handlebars
Cross-Site Scripting in handlebars
Versions of `handlebars` prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted.
## Proof of Concept
Template:
``````
Input:
```{ 'foo' : 'test.com onload=alert(1)'}```
Rendered result:
``````
## Recommendation
Update to version 4.0.0 or later.
Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.
OSV
Cross-Site Scripting in handlebars
osv·2018-10-23
CVE-2015-8861 [MEDIUM] Cross-Site Scripting in handlebars
Cross-Site Scripting in handlebars
Versions of `handlebars` prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted.
## Proof of Concept
Template:
``````
Input:
```{ 'foo' : 'test.com onload=alert(1)'}```
Rendered result:
``````
## Recommendation
Update to version 4.0.0 or later.
Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.
OSV
CVE-2015-8861: The handlebars package before 4
osv·2017-01-23·CVSS 6.1
CVE-2015-8861 [MEDIUM] CVE-2015-8861: The handlebars package before 4
The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.
Debian
CVE-2015-8861: mustache.js - The handlebars package before 4.0.0 for Node.js allows remote attackers to condu...
vendor_debian·2015·CVSS 6.1
CVE-2015-8861 [MEDIUM] CVE-2015-8861: mustache.js - The handlebars package before 4.0.0 for Node.js allows remote attackers to condu...
The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
Tenable
[R3] LCE 5.0.0 Fixes Multiple Third-party Library Vulnerabilities
blogs_tenable·2017-01-31
[R3] LCE 5.0.0 Fixes Multiple Third-party Library Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2015-8862 CVE-2015-8861 mustache: handlebars: Quoteless Attributes in Templates can lead to Content Injection
bugzilla·2015-12-15·CVSS 6.1
CVE-2015-8862 [MEDIUM] CVE-2015-8862 CVE-2015-8861 mustache: handlebars: Quoteless Attributes in Templates can lead to Content Injection
CVE-2015-8862 CVE-2015-8861 mustache: handlebars: Quoteless Attributes in Templates can lead to Content Injection
The handlebars node module is missing some characters in its escaping mechanisms, allowing for possible XSS. This flaw also affects other modules, notably mustache, that implement the same logic.
CVE request:
http://seclists.org/oss-sec/2015/q4/472
External References:
https://blog.srcclr.com/handlebars_vulnerability_research_findings/
Discussion:
Created nodejs-handlebars tracking bugs for this issue:
Affects: fedora-all [bug 1291744]
---
Created nodejs-mustache tracking bugs for this issue:
Affects: fedora-all [bug 1291743]
---
nodejs-handlebars-4.0.5-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in t
http://www.openwall.com/lists/oss-security/2016/04/20/11http://www.securityfocus.com/bid/96434https://www.sourceclear.com/blog/handlebars_vulnerability_research_findings/https://www.tenable.com/security/tns-2016-18http://www.openwall.com/lists/oss-security/2016/04/20/11http://www.securityfocus.com/bid/96434https://www.sourceclear.com/blog/handlebars_vulnerability_research_findings/https://www.tenable.com/security/tns-2016-18
2017-01-23
Published