CVE-2019-20920
published 2020-09-30CVE-2019-20920: Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing…
PriorityP347high8.1CVSS 3.1
AVNACHPRNUINSCCHILAL
EPSS
3.19%
86.5th percentile
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-handlebars | < node-handlebars 3:4.5.3-1 (bookworm) | node-handlebars 3:4.5.3-1 (bookworm) |
| handlebarsjs | handlebars | < 3.0.8 | 3.0.8 |
| handlebarsjs | handlebars | >= 0 < 3.0.8 | 3.0.8 |
| handlebarsjs | handlebars | >= 4.0.0 < 4.5.3 | 4.5.3 |
| handlebarsjs | handlebars | >= 4.0.0 < 4.5.3 | 4.5.3 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.1HIGH
vendor_debian8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
vendor_redhat·2019-11-04·CVSS 8.1
CVE-2019-20920 [HIGH] CWE-20 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to arbitrary code execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript into the system. This issue is used to run arbitrary code in a server
Debian
CVE-2019-20920: node-handlebars - Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Exe...
vendor_debian·2019·CVSS 8.1
CVE-2019-20920 [HIGH] CVE-2019-20920: node-handlebars - Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Exe...
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Scope: local
bookworm: resolved (fixed in 3:4.5.3-1)
bullseye: resolved (fixed in 3:4.5.3-1)
forky: resolved (fixed in 3:4.5.3-1)
sid: resolved (fixed in 3:4.5.3-1)
trixie: resolved (fixed in 3:4.5.3-1)
OSV
Arbitrary Code Execution in Handlebars
osv·2022-02-10
CVE-2019-20920 [HIGH] Arbitrary Code Execution in Handlebars
Arbitrary Code Execution in Handlebars
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
GHSA
Arbitrary Code Execution in Handlebars
ghsa·2022-02-10
CVE-2019-20920 [HIGH] CWE-94 Arbitrary Code Execution in Handlebars
Arbitrary Code Execution in Handlebars
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
OSV
CVE-2019-20920: Handlebars before 3
osv·2020-09-30·CVSS 8.1
CVE-2019-20920 [HIGH] CVE-2019-20920: Handlebars before 3
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
bugzilla·2020-09-24·CVSS 8.1
CVE-2019-20920 [HIGH] CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).
References:
https://www.npmjs.com/advisories/1316
https://www.npmjs.com/advisories/1324
Discussion:
Created /nodejs-handlebars tracking bugs for this issue:
Affects: epel-all [bug 1882262]
Affects: fedora-all [bug 1882261]
---
This looks like upstream patch:
https://
Bugzilla
CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution [epel-all]
bugzilla·2020-09-24·CVSS 8.1
CVE-2019-20920 [HIGH] CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution [epel-all]
CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit me
Bugzilla
CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution [fedora-all]
bugzilla·2020-09-24·CVSS 8.1
CVE-2019-20920 [HIGH] CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution [fedora-all]
CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commi
2020-09-30
Published