accelerator-sample-apps-js icon indicating copy to clipboard operation
accelerator-sample-apps-js copied to clipboard

Published 20 hours ago verified publisher icon opentok

underscore-min-1.8.3.js: 1 vulnerabilities (highest severity is: 3.3)

Open mend-for-github-com[bot] opened this issue 9 months ago • 0 comments

Vulnerable Library - underscore-min-1.8.3.js

JavaScript's functional programming helper library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.8.3/underscore-min.js

Path to dependency file: /vanilla-js-sample-app/public/index.html

Path to vulnerable library: /vanilla-js-sample-app/public/index.html

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (underscore-min version) Remediation Possible** Reachability
CVE-2021-23358 Low 3.3 Proof of concept 1.5% underscore-min-1.8.3.js Direct underscore - 1.12.1,1.13.0-2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-23358

Vulnerable Library - underscore-min-1.8.3.js

JavaScript's functional programming helper library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.8.3/underscore-min.js

Path to dependency file: /vanilla-js-sample-app/public/index.html

Path to vulnerable library: /vanilla-js-sample-app/public/index.html

Dependency Hierarchy:

  • :x: underscore-min-1.8.3.js (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Publish Date: 2021-03-29

URL: CVE-2021-23358

Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 1.5%

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

Release Date: 2021-03-29

Fix Resolution: underscore - 1.12.1,1.13.0-2

mend-for-github-com[bot] avatar Apr 30 '24 19:04 mend-for-github-com[bot]