Back to search
CVE-2021-23358
Published: Mar 29, 2021
Modified: Nov 3, 2025
PUBLISHED
CVSS v3.1
3.3
LOW
Description
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
| Vendor | Product | Versions |
|---|---|---|
n/a | underscore | affected 1.13.0-0 - < unspecifiedaffected unspecified - < 1.13.0-2affected 1.3.2 - < unspecifiedaffected unspecified - < 1.12.1 |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
References
https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
x_refsource_MISC
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503
x_refsource_MISC
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504
x_refsource_MISC
[debian-lts-announce] 20210331 [SECURITY] [DLA 2613-1] underscore security update
mailing-list
x_refsource_MLIST
DSA-4883
vendor-advisory
x_refsource_DEBIAN
https://www.tenable.com/security/tns-2021-14
x_refsource_CONFIRM
FEDORA-2021-e49f936d9f
vendor-advisory
x_refsource_FEDORA
FEDORA-2021-f278299902
vendor-advisory
x_refsource_FEDORA
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now