CVE-2019-20920
Arbitrary Code Execution in Handlebars
8.1
HIGH
CVSS 3.1
EPSS 0.34%
Description
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
How to fix CVE-2019-20920
To remediate CVE-2019-20920, upgrade the affected package to a fixed version below.
- —upgrade to 3:4.5.3-1 or later
- —upgrade to 3.0.8 or later
Is CVE-2019-20920 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 3:4.5.3-1
- from 0, < 3.0.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L |