GMS-2020-765: XSS in client rendered block templates in rendr

September 1, 2020 (updated September 23, 2021)

Affected versions of rendr are vulnerable to cross-site scripting when client side rendering is done inside a _block.

Server side rendering is not affected and is properly escaped.

Recommendation

Update to version 1.1.4 or later.

References

github.com/advisories/GHSA-v5hp-35hw-cw5x
github.com/rendrjs/rendr-handlebars/pull/61
github.com/rendrjs/rendr/pull/513
nvd.nist.gov/vuln/detail/CVE-2016-1000230
www.npmjs.com/advisories/128

Code Behaviors & Features

Detect and mitigate GMS-2020-765 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →