grunt-assemble-i18n icon indicating copy to clipboard operation
grunt-assemble-i18n copied to clipboard

Published 20 hours ago verified publisher icon assemble

moderate severity security vulnerability on handlebars dependency

Open rbecheras opened this issue 7 years ago • 3 comments

The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.

The actual dependency is on handlebars v1.3.0.

See the CVE ticket: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8861

Thus handlebars should be upgraded to v4+, i.e. to the latest stable release.

NB:

  • The priority is low because it is a devDependency.
  • The upgrade could break the CI jobs because moving over 3 major releases: v1.x −> v4.x

rbecheras avatar Feb 21 '18 13:02 rbecheras

@rbecheras Thanks for the issue! If you're reporting a bug, please be sure to include:

  • The version of assemble you are using.
  • Your assemblefile.js (This can be in a gist)
  • The commandline output. (Screenshot or gist is fine)
  • What you expected to happen instead.

assemblebot avatar Feb 21 '18 13:02 assemblebot

Handlebars isn't even used directly in this lib or the tests. I don't remember why it's in here. If you'd like to remove it and see if the tests pass, I'm fine with that.

doowb avatar Feb 21 '18 15:02 doowb

Yes indeed it's a bit weird to have it as development dependency. I'll try to remove it and we'll see

rbecheras avatar Feb 21 '18 16:02 rbecheras