CVE-2015-8861 (Medium) detected in handlebars-1.3.0.tgz, handlebars-1.0.12.tgz - autoclosed
Closed this issue · 1 comments
CVE-2015-8861 - Medium Severity Vulnerability
Vulnerable Libraries - handlebars-1.3.0.tgz, handlebars-1.0.12.tgz
handlebars-1.3.0.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz
Path to dependency file: macos-plist/package.json
Path to vulnerable library: macos-plist/node_modules/handlebars/package.json
Dependency Hierarchy:
- zuul-3.12.0.tgz (Root Library)
- browserify-istanbul-0.1.5.tgz
- istanbul-0.2.16.tgz
- ❌ handlebars-1.3.0.tgz (Vulnerable Library)
- istanbul-0.2.16.tgz
- browserify-istanbul-0.1.5.tgz
handlebars-1.0.12.tgz
Extension of the Mustache logicless template language
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.0.12.tgz
Path to dependency file: macos-plist/package.json
Path to vulnerable library: macos-plist/node_modules/hbs/node_modules/handlebars/package.json
Dependency Hierarchy:
- zuul-3.12.0.tgz (Root Library)
- hbs-2.4.0.tgz
- ❌ handlebars-1.0.12.tgz (Vulnerable Library)
- hbs-2.4.0.tgz
Found in HEAD commit: 9cee3646cabeaba7e6010d3ec4163529bcec875d
Found in base branch: master
Vulnerability Details
The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.
Publish Date: 2017-01-23
URL: CVE-2015-8861
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/61
Release Date: 2017-01-23
Fix Resolution: 4.0.0
Step up your Open Source Security Game with WhiteSource here
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.