📂 Vulnerable Library - donna-1.0.16.tgz
A CoffeeScript documentation generator.
Path to dependency file: /script/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| WS-2017-3772 |
🔴 High |
7.5 |
N/A |
N/A |
underscore.string-3.3.5.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2021-23358 |
🟡 Low |
1.2 |
Proof of concept |
1.4000001% |
underscore-1.9.1.tgz |
Transitive |
N/A |
❌ |
|
Details
🔴WS-2017-3772
Vulnerable Library - underscore.string-3.3.5.tgz
String manipulation extensions for Underscore.js javascript library.
Library home page: https://registry.npmjs.org/underscore.string/-/underscore.string-3.3.5.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
- donna-1.0.16.tgz (Root Library)
- ❌ underscore.string-3.3.5.tgz (Vulnerable Library)
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in underscore.string 2.4.0 through 3.3.5.
Publish Date: Sep 08, 2017 12:00 AM
URL: WS-2017-3772
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: esamattis/underscore.string@f486cd6
Release Date: Sep 08, 2017 12:00 AM
Fix Resolution : underscore.string - 3.3.5
🟡CVE-2021-23358
Vulnerable Library - underscore-1.9.1.tgz
JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
Vulnerability Details
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: Mar 29, 2021 01:15 PM
URL: CVE-2021-23358
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:1.4000001%
Score: 1.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-cf4h-3jhx-xvhq
Release Date: Mar 29, 2021 01:15 PM
Fix Resolution : underscore.js - 1.12.1,underscore - 1.12.1
📂 Vulnerable Library - donna-1.0.16.tgz
A CoffeeScript documentation generator.
Path to dependency file: /script/package.json
Findings
Details
🔴WS-2017-3772
Vulnerable Library - underscore.string-3.3.5.tgz
String manipulation extensions for Underscore.js javascript library.
Library home page: https://registry.npmjs.org/underscore.string/-/underscore.string-3.3.5.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in underscore.string 2.4.0 through 3.3.5.
Publish Date: Sep 08, 2017 12:00 AM
URL: WS-2017-3772
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: esamattis/underscore.string@f486cd6
Release Date: Sep 08, 2017 12:00 AM
Fix Resolution : underscore.string - 3.3.5
🟡CVE-2021-23358
Vulnerable Library - underscore-1.9.1.tgz
JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
autocomplete-plus-https://www.atom.io/api/packages/autocomplete-plus/versions/2.42.3/tarball.tgz (Root Library)
spell-check-https://www.atom.io/api/packages/spell-check/versions/0.76.0/tarball.tgz (Root Library)
donna-1.0.16.tgz (Root Library)
jasmine-tagged-1.1.4.tgz (Root Library)
Vulnerability Details
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: Mar 29, 2021 01:15 PM
URL: CVE-2021-23358
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:1.4000001%
Score: 1.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-cf4h-3jhx-xvhq
Release Date: Mar 29, 2021 01:15 PM
Fix Resolution : underscore.js - 1.12.1,underscore - 1.12.1