Date: Fri, 11 Dec 2015 08:26:29 -0800 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com, Assign a CVE Identifier <cve-assign@...re.org> Subject: CVE request: handlebars node.js module <4.0.0 - "Quoteless attributes in templates can lead to XSS" As seen on SRC:CLR -- https://blog.srcclr.com/handlebars_vulnerability_research_findings/ Blog post has all the details, but basically the handlebars node module is missing some characters in its escaping mechanisms, allowing for possible XSS. Handlebars "provides the power necessary to let you build semantic templates effectively with no frustration". Node.js module: handlebars (https://www.npmjs.com/package/handlebars) Affects: 3.0.3 and earlier Fixed in: 4.0.0 Reported via https://github.com/wycats/handlebars.js/pull/1083 Fixed by https://github.com/wycats/handlebars.js/commit/83b8e846a3569bd366cf0b6bdc1e4604d1a2077e (note that the SRC:CLR blog post mentions an incorrect commit id for the actual fix) Can a CVE be assigned? Note that this also affects many other Node.js and rubygems as well, as the code was copy/pasted a lot. See also https://github.com/janl/mustache.js/commit/378bcca8a5cfe4058f294a3dbb78e8755e8e0da5 . Thanks, ~reed
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.