Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Medium
Fix Version/s: Guilin Release
Affects Version/s: Dublin Release
Component/s: sdnc-apps
Labels:
- Security

Epic Link:
Security bugs
Sprint:
SDNC Dublin Spr 3 3/11 - 3/29, SDNC Fr Sp2:11/23-12/13

The handlebars.js script is vulnerable to a cross site scripting (XSS) vulnerability, due to the fact that its escapeExpression class does not properly escape the equal (=) sign.

This only occurs when double curly braces {{}} are used (as opposed to triple, which does no escaping).

This appears to be fixed in version 4.0.0 and above.

See https://github.con/wycats/handlebars.js/pull/1083

relates to

LOG-827 Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...

Assignee:: Unassigned

Reporter:: Dan Timoney

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 23/Jan/19 2:06 PM

Updated:: 15/Jul/20 11:01 AM

Resolved:: 15/Jul/20 11:01 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates