Closed alan-null closed 2 months ago
https://github.com/SitecorePowerShell/Console/blob/8943f11e28472cda13f5d77841f22d8c489d03b6/src/Spe/sitecore%20modules/PowerShell/Scripts/ace/emmet-core/emmet.js#L1
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
srouce: https://nvd.nist.gov/vuln/detail/CVE-2021-23358
p.s I did quick tests and it appears that replacing it with Underscore.js 1.13.6 doesn't seem to cause any damage.
Underscore.js 1.13.6
@alan-null would you be so kind to create a pull request so that we can integrate your fix? Thanks in advance!
Thank you, Sir!
https://github.com/SitecorePowerShell/Console/blob/8943f11e28472cda13f5d77841f22d8c489d03b6/src/Spe/sitecore%20modules/PowerShell/Scripts/ace/emmet-core/emmet.js#L1
srouce: https://nvd.nist.gov/vuln/detail/CVE-2021-23358
p.s I did quick tests and it appears that replacing it with
Underscore.js 1.13.6
doesn't seem to cause any damage.