ADVISORIES

• OSVDB-131671
• Vendor Advisory

GEM

mustache-js-rails

PATCHED VERSIONS

• >= 2.0.3

DESCRIPTION

The upstream 'mustache.js' node.js module was found to not properly escape backtick (`) and equals (=) characters, leading to possible content injection via attributes in templates.

Example:

• Template: <a href={{foo}}/>
• Input: { 'foo' : 'test.com onload=alert(1)'}
• Rendered result: <a href=test.com onload=alert(1)/>

RELATED

• GHSA-w3w8-37jv-2c58
• https://github.com/janl/mustache.js/pull/530
• https://security.snyk.io/vuln/SNYK-RUBY-MUSTACHEJSRAILS-20242
• https://www.veracode.com/blog/research/handlebarsjs-vulnerability-impact-study