Closed djgrijalva closed 1 week ago
Can you let me know how you determined this? I'm not seeing it in our NPM dependency tree.
This and the other 2 issues I put in were found by my companies security team when doing a scan of our PSU site. This is what their report said on this:
The graphics below show the versions of the technical stack via Burp Suite. A readily available browser extension highlights the application framework and software components and their versions, making it easier for an attacker to identify the exploits, as seen below.
We aren't using Underscore. It looks like this is a problem with the license info coming from Lodash. https://github.com/lodash/lodash/issues/5579
Version
4.2.21
Severity
Medium
Environment
msi
Steps to Reproduce
PSU is using Underscore JS 1.8.3 which has a current CVE-2021-23358 for Arbitrary Code Injection
Expected behavior
Actual behavior
Additional Environment data
No response
Screenshots/Animations
No response