CVE-2021-23358

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-23358

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-23358.json

Aliases

GHSA-cf4h-3jhx-xvhq
SNYK-JAVA-ORGWEBJARSBOWER-1081504
SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505
SNYK-JAVA-ORGWEBJARSNPM-1081503
SNYK-JS-UNDERSCORE-1080984

Related

Published

2021-03-29T14:15:18Z

Modified

2023-11-29T08:42:41.973013Z

Details

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

References

Affected packages

Git / github.com/documentcloud/underscore

Affected ranges

Type: GIT
Repo: https://github.com/documentcloud/underscore
Events: Introduced

e80bbe6d03193743a8d3e3d2d8bb365451382de8

Fixed

c627e3847981e0f573f43d6ef6c9c10ab5891d50

Introduced

645f8fa1d5d33711e2899b966ecc5c759aab87df

Affected versions

1.*

1.10.0

1.10.1

1.10.2

1.11.0

1.12.0

1.3.2

1.3.3

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.5.0

1.5.1

1.5.2

1.6.0

1.7.0

1.8.0

1.8.1

1.8.2

1.8.3

1.9.0

1.9.1

1.9.2