underscore-1.9.1.tgz: 1 vulnerabilities (highest severity is: 3.3) [main] #30
Description
📂 Vulnerable Library - underscore-1.9.1.tgz
JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz
Path to dependency file: /package.json
Findings
| Finding | Severity | 🎯 CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2021-23358 | 🟡 Low | 3.3 | Proof of concept | 1.4000001% | underscore-1.9.1.tgz | Direct | underscore.js - 1.12.1,underscore - 1.12.1 | ✅ |
Details
🟡CVE-2021-23358
Vulnerable Library - underscore-1.9.1.tgz
JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ❌ underscore-1.9.1.tgz (Vulnerable Library)
Vulnerability Details
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: Mar 29, 2021 01:15 PM
URL: CVE-2021-23358
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:1.4000001%
Score: 3.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-cf4h-3jhx-xvhq
Release Date: Mar 29, 2021 01:15 PM
Fix Resolution : underscore.js - 1.12.1,underscore - 1.12.1