The handlebars node module is missing some characters in its escaping mechanisms, allowing for possible XSS. This flaw also affects other modules, notably mustache, that implement the same logic. CVE request: http://seclists.org/oss-sec/2015/q4/472 External References: https://blog.srcclr.com/handlebars_vulnerability_research_findings/
Created nodejs-handlebars tracking bugs for this issue: Affects: fedora-all [bug 1291744]
Created nodejs-mustache tracking bugs for this issue: Affects: fedora-all [bug 1291743]
nodejs-handlebars-4.0.5-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
nodejs-handlebars-4.0.5-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
nodejs-handlebars-4.0.5-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
nodejs-handlebars-4.0.5-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 1295755 has been marked as a duplicate of this bug. ***
CVE assignments: http://seclists.org/oss-sec/2016/q2/122 Advisories: https://nodesecurity.io/advisories/61 https://nodesecurity.io/advisories/62
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.