Two security issues have arised and are fixed in the referencing commits:
-
Due to insufficient escaping of the input template, it was possible to inject code into templates that are compiled in "compat" mode.
-
In "strict" mode, the exploits disclosed in the npm-security advisories 755,
1164, 1316,
1324 and 1325 and in the blog-article
of Mahmoud Gamal possible, because the the method that was used in strict-mode had not called the safe-guard methods.
The issues have been disclosed a couple of weeks ago at https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767 and are fixed in version 4.7.7
Two security issues have arised and are fixed in the referencing commits:
Due to insufficient escaping of the input template, it was possible to inject code into templates that are compiled in "compat" mode.
In "strict" mode, the exploits disclosed in the npm-security advisories 755,
1164, 1316,
1324 and 1325 and in the blog-article
of Mahmoud Gamal possible, because the the method that was used in strict-mode had not called the safe-guard methods.
The issues have been disclosed a couple of weeks ago at https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767 and are fixed in version 4.7.7