Kikobeats
commented
2 years ago Thanks for reporting, looks like was previously reported at https://github.com/zaach/jsonlint/issues/133
Closed Thource closed 2 years ago
Kikobeats
commented
2 years ago Thanks for reporting, looks like was previously reported at https://github.com/zaach/jsonlint/issues/133
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Finepack depends on jsonlint, which depends on nomnom, which depends on underscore@1.6.0.
See https://nvd.nist.gov/vuln/detail/CVE-2021-23358 for vulnerability details.