According to its self-reported version number, Underscore.js is 1.3.2 prior to 1.12.1 or 1.13.x prior to 1.13.0-2. Therefore, it may be affected by an arbitrary code injection via the template function when the variable option is taken from _.templateSettings.
Note that the scanner has not tested for these issues but has instead relied only on the applicationβs self-reported version number.
No source data
Vendor | Product | Version | CPE |
---|---|---|---|
underscorejs | underscore | * | cpe:2.3:a:underscorejs:underscore:*:*:*:*:*:node.js:*:* |