YJSoft/macos-plist

CVE-2015-8861 (Medium) detected in handlebars-1.3.0.tgz, handlebars-1.0.12.tgz - autoclosed

Closed this issue · 1 comments

mend-bolt-for-github commented

CVE-2015-8861 - Medium Severity Vulnerability

Vulnerable Libraries - handlebars-1.3.0.tgz, handlebars-1.0.12.tgz

handlebars-1.3.0.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz

Path to dependency file: macos-plist/package.json

Path to vulnerable library: macos-plist/node_modules/handlebars/package.json

Dependency Hierarchy:

  • zuul-3.12.0.tgz (Root Library)
    • browserify-istanbul-0.1.5.tgz
      • istanbul-0.2.16.tgz
        • handlebars-1.3.0.tgz (Vulnerable Library)
handlebars-1.0.12.tgz

Extension of the Mustache logicless template language

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.0.12.tgz

Path to dependency file: macos-plist/package.json

Path to vulnerable library: macos-plist/node_modules/hbs/node_modules/handlebars/package.json

Dependency Hierarchy:

  • zuul-3.12.0.tgz (Root Library)
    • hbs-2.4.0.tgz
      • handlebars-1.0.12.tgz (Vulnerable Library)

Found in HEAD commit: 9cee3646cabeaba7e6010d3ec4163529bcec875d

Found in base branch: master

Vulnerability Details

The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.

Publish Date: 2017-01-23

URL: CVE-2015-8861

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/61

Release Date: 2017-01-23

Fix Resolution: 4.0.0

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github commented

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.