TRIAL REQUEST A DEMO LOGIN

Handlebars - Remote Code Execution possible in compat and strict mode on versions under 4.7.7

Impact area

Security

Severity

High

Affected element

ServiceNow

UI Script

Salesforce

Static Resource


Rule number

SN-JSL-HANDLEBARS-LESSTHAN-V477 (for ServiceNow)

SF-JSL-HANDLEBARS-LESSTHAN-V477 (for Salesforce)

Impact

Due to insufficient escaping of the input template, it was possible to inject code into templates that are compiled in "compat" mode. Also in "strict" mode because the method that was used in strict-mode had not called the safe-guard methods.

Remediation

Update the Handlebars JS library to the latest version.

Time to fix

30 min

References

This rule is linked to Common Weakness Enumeration CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

What's here


Related content

JavaScript rules

JavaScript best practices

Common Weakness Enumeration (CWE™)

Vulnerabilities in Open Source Libraries




Last modified on Nov 9, 2022
Copyright © QualityClouds 2021