[Pkg-javascript-devel] Bug#986171: underscore: CVE-2021-23358
Salvatore Bonaccorso
carnil at debian.org
Tue Mar 30 20:40:31 BST 2021
Source: underscore
Version: 1.9.1~dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>,yadd at debian.org
Hi,
The following vulnerability was published for underscore.
CVE-2021-23358[0]:
| The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2
| and before 1.12.1 are vulnerable to Arbitrary Code Execution via the
| template function, particularly when a variable property is passed as
| an argument as it is not sanitized.
[1] provides a POC to verify the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-23358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
[1] https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list