Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add advisory for handlebars-source <4.0.0 for "Quoteless attributes in templates can lead to XSS" #216

Closed
reedloden opened this issue Dec 11, 2015 · 5 comments
Closed

Add advisory for handlebars-source <4.0.0 for "Quoteless attributes in templates can lead to XSS" #216

reedloden opened this issue Dec 11, 2015 · 5 comments
Labels
advisory

Comments

@reedloden
Copy link
Member

I just noticed that rubygems tracks handlebars.js via https://rubygems.org/gems/handlebars-source as well, sigh...

https://blog.srcclr.com/handlebars_vulnerability_research_findings/

https://srcclr.com/catalog/vulnerabilities/1878

handlebars-lang/handlebars.js#1083

RetireJS/retire.js@8d3c91e
@reedloden
Copy link
Member Author

@VanessaHenderson How can I get you folks to let RubySec and Node Security Project know about these things when you find them? :)

@reedloden
Copy link
Member Author

This issue also affects mustache.js (see janl/mustache.js@378bcca), which means https://github.com/knapo/mustache-js-rails is affected.

@reedloden
Copy link
Member Author

Requested a CVE from MITRE, as well as an ID from OSVDB.

@phillmv
Copy link
Member

phillmv commented Dec 11, 2015

Whoa, nice going @VanessaHenderson!

@reedloden
Copy link
Member Author

mustache-js-rails v2.0.3 was just released with a fix for this issue.

reedloden added a commit to reedloden/ruby-advisory-db that referenced this issue Dec 16, 2015
@reedloden
Add OSVDB-131671 for handlebars-source and mustache-js-rails ruby gems
d3c27ea 
Fixes rubysec#216.
@reedloden reedloden mentioned this issue Dec 16, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
advisory
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@phillmv @reedloden