Issues
- Prototype Pollution in handlebarsCOMPASS-286
- XSS via JQLite DOM manipulation functions in AngularJSCOMPASS-285
- Prototype Pollution in lodash.mergeCOMPASS-284
- Prototype Pollution in lodash.mergeCOMPASS-283
- Denial of Service in node-sassCOMPASS-282
- Denial of Service in handlebarsCOMPASS-281
- Arbitrary Code Execution in handlebarsCOMPASS-280
- Prototype Pollution in handlebarsCOMPASS-279
- Arbitrary Code Execution in handlebarsCOMPASS-278
- Regular Expression Denial of Service in npm-user-validateCOMPASS-277
- ReDOS vulnerabities: multiple grammarsCOMPASS-276
- Improper Privilege Management in shelljsCOMPASS-275
- Memory Exposure in tunnel-agentCOMPASS-274
- Memory Exposure in concat-streamCOMPASS-273
- Code Injection in js-yamlCOMPASS-272
- Denial of Service in js-yamlCOMPASS-271
- Regular Expression Denial of Service in clean-cssCOMPASS-270
- Regular Expression Denial of Service in bracesCOMPASS-269
- Command Injection in openCOMPASS-268
- Prototype Pollution in handlebarsCOMPASS-267
- XSS via JQLite DOM manipulation functions in AngularJSCOMPASS-266
- Prototype Pollution in lodash.mergeCOMPASS-265
- Prototype Pollution in lodash.mergeCOMPASS-264
- Denial of Service in node-sassCOMPASS-263
- Denial of Service in handlebarsCOMPASS-262
- Arbitrary Code Execution in handlebarsCOMPASS-261
- Prototype Pollution in handlebarsCOMPASS-260
- Arbitrary Code Execution in handlebarsCOMPASS-259
- Regular Expression Denial of Service in npm-user-validateCOMPASS-258
- ReDOS vulnerabities: multiple grammarsCOMPASS-257
- Improper Privilege Management in shelljsCOMPASS-256
- Memory Exposure in tunnel-agentCOMPASS-255
- Memory Exposure in concat-streamCOMPASS-254
- Code Injection in js-yamlCOMPASS-253
- Denial of Service in js-yamlCOMPASS-252
- Regular Expression Denial of Service in clean-cssCOMPASS-251
- Regular Expression Denial of Service in bracesCOMPASS-250
- Command Injection in openCOMPASS-249
- Prototype Pollution in lodashCOMPASS-248
- Prototype Pollution in lodashCOMPASS-247
- Prototype Pollution in lodashCOMPASS-246
- Prototype Pollution in handlebarsCOMPASS-245
- Regular Expression Denial of Service (ReDoS) in lodashCOMPASS-244
- Arbitrary File Overwrite in tarCOMPASS-243
- Prototype Pollution in angularCOMPASS-242
- npm symlink reference outside of node_modulesCOMPASS-241
- Arbitrary File Write in npmCOMPASS-240
- npm Vulnerable to Global node_modules Binary OverwriteCOMPASS-239
- Prototype Pollution in handlebarsCOMPASS-238
- Prototype Pollution in minimistCOMPASS-237
50 of 282
Prototype Pollution in handlebars
Description
Details
Assignee
UnassignedUnassignedReporter
onms security jiraonms security jiraPriority
Medium
Details
Details
Assignee
Unassigned
UnassignedReporter
onms security jira
onms security jira
Priority
MediumPagerDuty
PagerDuty
PagerDuty
Created August 2, 2023 at 12:48 PM
Updated August 2, 2023 at 3:27 PM
Activity
Show:
chiuen (Qun)August 2, 2023 at 3:26 PM
Infosec evaluated at the following risk:
CVSS Score: 7.0 x likelihood medium 0.8 = 5.6 medium
Versions of `handlebars` prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.
Recommendation
For handlebars 4.1.x upgrade to 4.1.2 or later.
For handlebars 4.0.x upgrade to 4.0.14 or later.
Repository: OpenNMS/opennms-compass (https://github.com/OpenNMS/opennms-compass)
Dependabot: https://github.com/OpenNMS/opennms-compass/security/dependabot/5
CVE:
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
GHSA: GHSA-q42p-pg8m-cqh6
Severity: high
Ecosystem: npm
Package Name: handlebars
Vulnerable Version Range: >= 4.0.0, < 4.0.14
First Patched Version: 4.0.14