[Secure-testing-commits] r39983 - data/CVE
Paul Wise
pabs at moszumanska.debian.org
Sat Feb 27 10:25:33 UTC 2016
Author: pabs
Date: 2016-02-27 10:25:33 +0000 (Sat, 27 Feb 2016)
New Revision: 39983
Modified:
data/CVE/list
Log:
content injection in handlebars
See-also: https://lists.debian.org/msgid-search/145651316966.24887.17820985410203863222@auryn.jones.dk
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-02-27 10:16:27 UTC (rev 39982)
+++ data/CVE/list 2016-02-27 10:25:33 UTC (rev 39983)
@@ -544,6 +544,13 @@
NOT-FOR-US: SAP
CVE-2016-2386 (SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE ...)
NOT-FOR-US: SAP
+CVE-2015-XXXX [handlebars: quoteless attributes in templates can lead to content injection]
+ - libjs-handlebars <unfixed>
+ - ruby-handlebars-assets <unfixed>
+ NOTE: fixed in 4.0.0
+ NOTE: https://blog.srcclr.com/handlebars_vulnerability_research_findings/
+ NOTE: https://github.com/wycats/handlebars.js/pull/1083
+ NOTE: https://nodesecurity.io/advisories/61
CVE-2015-XXXX [quoteless attributes in templates can lead to content injection]
- mustache.js <unfixed>
NOTE: fixed in 2.2.1
More information about the Secure-testing-commits
mailing list