Vulnerability in handlebars.js version 2.0.0

[Vijay]

Hi,

Our security team has found vulnerabilities in handlebars.js version 2.0.0 which is being used by Swagger UI.

References provided:

https://yahoo-security.tumblr.com/post/128130790295/paranoid-labs-open-source-and-solving-xss-in
https://github.com/wycats/handlebars.js/pull/1083
https://blog.srcclr.com/handlebars_vulnerability_research_findings/

Is it already a known issue and being taken care to upgrade to handlebars.js latest stable version ?

Thanks,

Vijay

[tony tam]

Hi Vijay, I believe you already reached out on this.  Expect it will be addressed shortly.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Vijay]

Hi Tony,

I've not posted on this topic before. Anyways, good to know that it is being addressed. Any tentative date for this fix?

Thanks,

Vijay

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

[Ron Ratovsky]

We’ve pushed the updated version to master yesterday, please check it out.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

 

--

You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

[Ron Ratovsky]

My bad, looks like we missed something, but we’re definitely working on it, will keep you posted.

[tony tam]

Hi, FYI swagger-ui 2.2.2 has been released and address XSS issues, handlebars, and a whole host of other items.  Please see here for release notes:

https://github.com/swagger-api/swagger-ui/releases/tag/v2.2.2

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

[Vijaya Sekhar Reddy P]

Thanks a lot for the update!

Thanks,
Vijay

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsubscri...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsubscri...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsubscri...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Swagger" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/swagger-swaggersocket/T-WVBjvpTw0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to swagger-swaggersocket+unsub...@googlegroups.com.