CVE-2015-8861: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
(updated )
The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.
References
- www.openwall.com/lists/oss-security/2016/04/20/11
- www.securityfocus.com/bid/96434
- blog.srcclr.com/handlebars_vulnerability_research_findings/
- github.com/advisories/GHSA-9prh-257w-9277
- github.com/wycats/handlebars.js/pull/1083
- nvd.nist.gov/vuln/detail/CVE-2015-8861
- www.npmjs.com/advisories/61
- www.sourceclear.com/blog/handlebars_vulnerability_research_findings/
- www.tenable.com/security/tns-2016-18
Detect and mitigate CVE-2015-8861 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →