@smallstack/user@0.1.26 vulnerabilities | @smallstack/user 0.1.26

Vulnerabilities	1 via 40 paths
Dependencies	10
Source	npm

Detailed paths

Introduced through: @smallstack/user@0.1.26 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/data@0.2.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/user@0.1.26 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/files@0.1.12 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/i18n@0.2.24 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/files@0.1.12 › @smallstack/user@0.1.26 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/user@0.1.26 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/files@0.1.12 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/i18n@0.2.24 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/data@0.3.8 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/data@0.2.8 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/data@0.2.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/user@0.1.26 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/files@0.1.12 › @smallstack/user@0.1.26 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/files@0.1.12 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/i18n@0.2.24 › @smallstack/data@0.3.8 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/files@0.1.12 › @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/files@0.1.12 › @smallstack/user@0.1.26 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/files@0.1.12 › @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/user@0.1.26 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/files@0.1.12 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/files@0.1.12 › @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/data@0.3.8 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/data@0.2.8 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/files@0.1.12 › @smallstack/user@0.1.26 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/files@0.1.12 › @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/user@0.1.26 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3
Introduced through: @smallstack/user@0.1.26 › @smallstack/oms@0.1.6 › @smallstack/files@0.1.12 › @smallstack/user@0.1.26 › @smallstack/i18n@0.2.24 › @smallstack/data@0.3.8 › @smallstack/common@0.1.28 › @smallstack/data@0.3.8 › underscore@1.8.3

Overview

underscore is a JavaScript's functional programming helper library.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.

PoC

const _ = require('underscore');
_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
const t = _.template("")();

Remediation

Upgrade underscore to version 1.13.0-2, 1.12.1 or higher.

Vulnerabilities

Dependencies

Source

Find, fix and prevent vulnerabilities in your code.

medium severity

Arbitrary Code Injection

Detailed paths

Overview

PoC

Remediation

References