TEMP-0000000-345A3B

NameTEMP-0000000-345A3B
Descriptionhandlebars: quoteless attributes in templates can lead to content injection
SourceAutomatically generated temporary name. Not for external reference.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-handlebars-assets (PTS)buster2:0.23.3+dfsg-2vulnerable
bullseye2:0.23.8+dfsg-3vulnerable
bookworm, sid, trixie2:0.23.9+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libjs-handlebarssource(unstable)(unfixed)unimportant
ruby-handlebars-assetssource(unstable)(unfixed)unimportant

Notes

fixed in 4.0.0
https://blog.srcclr.com/handlebars_vulnerability_research_findings/
https://github.com/wycats/handlebars.js/pull/1083
https://nodesecurity.io/advisories/61
Security hardening, not a vulnerability
Search for package or bug name: Reporting problems