Unfortunately I have to ship Plone to government sites which use TwistlockPrisma Cloud to examine Docker images for vulnerabilities. It found one in underscore, included in plone.staticresources 1.4.1 through the present. The suggested remediation is to upgrade to underscore 1.12.1.
Risk factors: Attack complexity: low, Attack vector: network, Has fix, High severity, Recent vulnerability
Description: The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
petschki
commented
2 years ago
Unfortunately I have to ship Plone to government sites which use
TwistlockPrisma Cloud to examine Docker images for vulnerabilities. It found one inunderscore, included in plone.staticresources 1.4.1 through the present. The suggested remediation is to upgrade tounderscore1.12.1.