TEMP-0000000-345A3B

NameTEMP-0000000-345A3B
Descriptionhandlebars: quoteless attributes in templates can lead to content injection
SourceAutomatically generated temporary name. Not for external reference.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libjs-handlebars (PTS)jessie1.3.0-1vulnerable
stretch3:4.0.5-4vulnerable
ruby-handlebars-assets (PTS)jessie0.15-2vulnerable
stretch/contrib2:0.23.1-1vulnerable
buster2:0.23.3+dfsg-2vulnerable
bullseye2:0.23.8+dfsg-3vulnerable
sid, trixie, bookworm2:0.23.9+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libjs-handlebarssource(unstable)(unfixed)unimportant
ruby-handlebars-assetssource(unstable)(unfixed)unimportant

Notes

fixed in 4.0.0
https://blog.srcclr.com/handlebars_vulnerability_research_findings/
https://github.com/wycats/handlebars.js/pull/1083
https://nodesecurity.io/advisories/61
Security hardening, not a vulnerability
Search for package or bug name: Reporting problems