Vulnerability Details CVE-2019-20920
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 65.8%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 6.8
References
Products affected by CVE-2019-20920
-
cpe:2.3:a:handlebarsjs:handlebars:0.9.0
-
cpe:2.3:a:handlebarsjs:handlebars:1.0.0
-
cpe:2.3:a:handlebarsjs:handlebars:1.0.10
-
cpe:2.3:a:handlebarsjs:handlebars:1.0.11
-
cpe:2.3:a:handlebarsjs:handlebars:1.0.12
-
cpe:2.3:a:handlebarsjs:handlebars:1.0.5
-
cpe:2.3:a:handlebarsjs:handlebars:1.0.6
-
cpe:2.3:a:handlebarsjs:handlebars:1.0.6-2
-
cpe:2.3:a:handlebarsjs:handlebars:1.0.7
-
cpe:2.3:a:handlebarsjs:handlebars:1.0.8
-
cpe:2.3:a:handlebarsjs:handlebars:1.0.9
-
cpe:2.3:a:handlebarsjs:handlebars:1.1.0
-
cpe:2.3:a:handlebarsjs:handlebars:1.1.1
-
cpe:2.3:a:handlebarsjs:handlebars:1.1.2
-
cpe:2.3:a:handlebarsjs:handlebars:1.2.0
-
cpe:2.3:a:handlebarsjs:handlebars:1.2.1
-
cpe:2.3:a:handlebarsjs:handlebars:1.3.0
-
cpe:2.3:a:handlebarsjs:handlebars:2.0.0
-
cpe:2.3:a:handlebarsjs:handlebars:3.0.0
-
cpe:2.3:a:handlebarsjs:handlebars:3.0.1
-
cpe:2.3:a:handlebarsjs:handlebars:3.0.2
-
cpe:2.3:a:handlebarsjs:handlebars:3.0.3
-
cpe:2.3:a:handlebarsjs:handlebars:3.0.4
-
cpe:2.3:a:handlebarsjs:handlebars:3.0.5
-
cpe:2.3:a:handlebarsjs:handlebars:3.0.6
-
cpe:2.3:a:handlebarsjs:handlebars:3.0.7
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.0
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.1
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.10
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.11
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.12
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.13
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.13-0
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.14
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.2
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.3
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.4
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.5
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.6
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.7
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.8
-
cpe:2.3:a:handlebarsjs:handlebars:4.0.9
-
cpe:2.3:a:handlebarsjs:handlebars:4.1.0
-
cpe:2.3:a:handlebarsjs:handlebars:4.1.1
-
cpe:2.3:a:handlebarsjs:handlebars:4.1.2
-
cpe:2.3:a:handlebarsjs:handlebars:4.1.2-0
-
cpe:2.3:a:handlebarsjs:handlebars:4.2.0
-
cpe:2.3:a:handlebarsjs:handlebars:4.2.1
-
cpe:2.3:a:handlebarsjs:handlebars:4.2.2
-
cpe:2.3:a:handlebarsjs:handlebars:4.3.0
-
cpe:2.3:a:handlebarsjs:handlebars:4.3.1
-
cpe:2.3:a:handlebarsjs:handlebars:4.3.2
-
cpe:2.3:a:handlebarsjs:handlebars:4.3.3
-
cpe:2.3:a:handlebarsjs:handlebars:4.3.4
-
cpe:2.3:a:handlebarsjs:handlebars:4.3.5
-
cpe:2.3:a:handlebarsjs:handlebars:4.4.0
-
cpe:2.3:a:handlebarsjs:handlebars:4.4.1
-
cpe:2.3:a:handlebarsjs:handlebars:4.4.2
-
cpe:2.3:a:handlebarsjs:handlebars:4.4.3
-
cpe:2.3:a:handlebarsjs:handlebars:4.4.4
-
cpe:2.3:a:handlebarsjs:handlebars:4.4.5
-
cpe:2.3:a:handlebarsjs:handlebars:4.5.0
-
cpe:2.3:a:handlebarsjs:handlebars:4.5.1
-
cpe:2.3:a:handlebarsjs:handlebars:4.5.2