CVE-2021-23358 – Arbitrary Code Injection
https://notcve.org/view.php?id=CVE-2021-23358
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized. El paquete underscore desde la versión 1.13.0-0 y anterior a la versión 1.13.0-2, desde la versión 1.3.2 y anterior a la versión 1.12.1, son vulnerables a una ejecución de código arbitraria por medio de la función template, particularmente cuando una propiedad variable es pasada como un argumento ya que no es saneado A flaw was found in nodejs-underscore. Arbitrary code execution via the template function is possible, particularly when a variable property is passed as an argument as it is not sanitized. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71 https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org • CWE-94: Improper Control of Generation of Code ('Code Injection') •