---
gem: flavour_saver
osvdb: 110796
url: http://osvdb.org/show/osvdb/110796
title: |
  FlavourSaver handlebars helper remote code execution.
date: 2014-09-04
description: |
  FlavourSaver contains a flaw in helper method dispatch where it uses
  Kernel::send to call helpers without checking that they are defined
  within the template context first.  This allows expressions such as
  {{system "ls"}} or {{eval "puts 1 + 1"}} to be executed.
patched_versions:
  - ">= 0.3.3"