-
-
Notifications
You must be signed in to change notification settings - Fork 236
Expand file tree
/
Copy pathCVE-2019-19919.yml
More file actions
21 lines (19 loc) · 820 Bytes
/
Copy pathCVE-2019-19919.yml
File metadata and controls
21 lines (19 loc) · 820 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
---
gem: bootstrap-wysihtml5-rails
cve: 2019-19919
ghsa: w457-6q6x-cgp9
url: https://github.com/advisories/GHSA-w457-6q6x-cgp9
title: Prototype Pollution in handlebars
date: 2019-12-26
description: |
The bootstrap-wysihtml5-rails gem includes the vendored JavaScript library 'handlebars.js'.
Versions 0.3.3.7-0.3.3.8 include handlebars 3.0.2, and versions 0.3.3.5-0.3.3.6 include handlebars 1.3.0.
Versions Affected: 0.3.3.5-0.3.3.8
Not affected: < 0.3.3.5
Fixed Versions: None
Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution.
Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute
arbitrary code through crafted payloads.
cvss_v3: 9.8
unaffected_versions:
- "< 0.3.3.5"