CVE-2021-23358

Code Injection in npm/underscore

Identifiers

CVE-2021-23358

Package Slug

npm/underscore

Vulnerability

Code Injection

Description

The underscore package is are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Affected Versions

All versions starting from 1.3.2 before 1.12.1, all versions starting from 1.13.0-0 before 1.13.0-2

Solution

Upgrade to versions 1.12.1, 1.13.1 or above.

Last Modified

2021-05-03

source