search

uniquelyparticular / sync-shipengine-to-moltin

This Particular example demonstrates how you can sync shipping delivered status from ShipEngine into Moltin via Webhook API.
https://uniquelyparticular.com
MIT License
1 stars 0 forks source link

WS-2019-0332 (Medium) detected in handlebars-4.1.2.tgz #52

Open mend-bolt-for-github[bot] opened 4 years ago

mend-bolt-for-github[bot] commented 4 years ago

WS-2019-0332 - Medium Severity Vulnerability

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: sync-shipengine-to-moltin/package.json

Path to vulnerable library: sync-shipengine-to-moltin/node_modules/handlebars/package.json

Dependency Hierarchy: - semantic-release-15.13.14.tgz (Root Library) - release-notes-generator-7.1.4.tgz - conventional-changelog-writer-4.0.3.tgz - :x: **handlebars-4.1.2.tgz** (Vulnerable Library)

Found in HEAD commit: 4a131afcc6b0030d4d24794824c4f5a28e9bc098

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.

Publish Date: 2019-11-17

URL: WS-2019-0332

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Step up your Open Source Security Game with WhiteSource here