Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CALPTtNVT18A8p5Cxd8uK-TM1rMcNU9JuyXiepevKeVarrifYOA@mail.gmail.com>
Date: Fri, 11 Dec 2015 08:26:29 -0800
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com, 
	Assign a CVE Identifier <cve-assign@...re.org>
Subject: CVE request: handlebars node.js module <4.0.0 - "Quoteless attributes
 in templates can lead to XSS"

As seen on SRC:CLR --
https://blog.srcclr.com/handlebars_vulnerability_research_findings/

Blog post has all the details, but basically the handlebars node module is
missing some characters in its escaping mechanisms, allowing for possible
XSS.

Handlebars "provides the power necessary to let you build semantic
templates effectively with no frustration".

Node.js module: handlebars (https://www.npmjs.com/package/handlebars)
Affects: 3.0.3 and earlier
Fixed in: 4.0.0
Reported via https://github.com/wycats/handlebars.js/pull/1083
Fixed by
https://github.com/wycats/handlebars.js/commit/83b8e846a3569bd366cf0b6bdc1e4604d1a2077e
(note that the SRC:CLR blog post mentions an incorrect commit id for the
actual fix)

Can a CVE be assigned?

Note that this also affects many other Node.js and rubygems as well, as the
code was copy/pasted a lot. See also
https://github.com/janl/mustache.js/commit/378bcca8a5cfe4058f294a3dbb78e8755e8e0da5
.

Thanks,
~reed

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.