Arbitrary Code Execution via Lookup Helper in Handlebars

Arbitrary Code Execution via Lookup Helper in Handlebars

CVE-2019-20920 · HIGH Severity

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Learn more about our Cis Benchmark Audit For Server Software.