.*swagger-codegen-cli-3.0.18-gov4j-4.jar.* 10 .*swagger-codegen-cli-3.0.18.jar.* 10 ^pkg:javascript/handlebars@.*$ A prototype pollution vulnerability in handlebars is exploitable if an attacker can control the template ^pkg:javascript/handlebars@.*$ Denial of service ^pkg:javascript/handlebars@.*$ Prototype pollution ^pkg:javascript/handlebars@.*$ Disallow calling helperMissing and blockHelperMissing directly ^pkg:javascript/handlebars@.*$ handlebars issue: 1495 ^pkg:javascript/handlebars@.*$ handlebars issue: 1633 ^pkg:javascript/handlebars@.*$ Affected versions of `handlebars` are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service. ## Recommendation Upgrade to version 4.4.5 or later. ^pkg:javascript/jquery@.*$ jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates ^pkg:javascript/handlebars@.*$ Versions of `handlebars` prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting). The following template can be used to demonstrate the vulnerability: ```{{#with "constructor"}} {{#with split as |a|}} {{pop (push "alert('Vulnerable Handlebars JS');")}} {{#with (concat (lookup join (slice 0 1)))}} {{#each (slice 2 3)}} {{#with (apply 0 a)}} {{.}} {{/with}} {{/each}} {{/with}} {{/with}} {{/with}}``` ## Recommendation Upgrade to version 3.0.8, 4.5.2 or later. ^pkg:javascript/handlebars@.*$ Versions of `handlebars` prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a [previous issue](https://www.npmjs.com/advisories/1316). This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting)