ADVISORIES
GEM
SEVERITY
CVSS v3.x: 5.4 (Medium)
PATCHED VERSIONS
- ~> 1.0.1
- ~> 1.1.3
- ~> 1.2.1
- ~> 1.3.1
- >= 1.4.0.beta.2
DESCRIPTION
In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, we have identified a vulnerability that could lead to unescaped content being inserted into the innerHTML string without being sanitized.
When a primitive value is used as the Handlebars context, that value is not
properly escaped. An example of this would be using the {{each}} helper to
iterate over an array of user-supplied strings and using {{this}} inside the
block to display each string.
In applications that contain templates whose context is a primitive value and
use the {{this}} keyword to display that value, a specially-crafted payload
could execute arbitrary JavaScript in the context of the current domain
("XSS").
This vulnerability affects applications that contain templates whose context is
set to a user-supplied primitive value (such as a string or number) and also
contain the {{this}} special Handlebars variable to display the value.