CVE-2015-8861 — Cross-site Scripting in Project Handlebars.js

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

0.7%

top 28.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Handlebars.js Project Handlebars.js Handlebarsjs Handlebars

Timeline

PublishedJan 23

Latest updateOct 23

Description

The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶npmhandlebarsjs/handlebars< 4.0.0

▶NVDhandlebars.js_project/handlebars.js< 4.0.0

Patches

Patch: www.sourceclear.com ↗Patch: www.sourceclear.com ↗

🔴Vulnerability Details

GHSA

Cross-Site Scripting in handlebars↗2018-10-23

▶

OSV

Cross-Site Scripting in handlebars↗2018-10-23

▶

CVEList

CVE-2015-8861: The handlebars package before 4↗2017-01-23

▶

OSV

CVE-2015-8861: The handlebars package before 4↗2017-01-23

▶

📋Vendor Advisories

Debian

CVE-2015-8861: mustache.js - The handlebars package before 4.0.0 for Node.js allows remote attackers to condu...↗2015

▶

💬Community

Bugzilla

CVE-2015-8862 CVE-2015-8861 mustache: handlebars: Quoteless Attributes in Templates can lead to Content Injection↗2015-12-15

▶