sitemap-1.13.0.tgz: 1 vulnerabilities (highest severity is: 1.2) [master] #143
Description
📂 Vulnerable Library - sitemap-1.13.0.tgz
Sitemap-generating framework
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/sitemap/package.json
Findings
| Finding | Severity | 🎯 CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2021-23358 | 🟡 Low | 1.2 | Proof of concept | 1.4000001% | underscore-1.7.0.tgz | Transitive | N/A | ❌ |
Details
🟡CVE-2021-23358
Vulnerable Library - underscore-1.7.0.tgz
JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/underscore/package.json
Dependency Hierarchy:
-
nodemailer-smtp-transport-2.7.4.tgz (Root Library)
- smtp-connection-2.12.0.tgz
- httpntlm-1.6.1.tgz
- ❌ underscore-1.7.0.tgz (Vulnerable Library)
- httpntlm-1.6.1.tgz
- smtp-connection-2.12.0.tgz
-
sitemap-1.13.0.tgz (Root Library)
- ❌ underscore-1.7.0.tgz (Vulnerable Library)
Vulnerability Details
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: Mar 29, 2021 01:15 PM
URL: CVE-2021-23358
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:1.4000001%
Score: 1.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-cf4h-3jhx-xvhq
Release Date: Mar 29, 2021 01:15 PM
Fix Resolution : underscore.js - 1.12.1,underscore - 1.12.1