Details
-
Bug
-
Resolution: Fixed
-
Low
-
7.13.1
-
2
-
Severity 2 - Major
-
1
-
Description
Issue Summary
Workbox host plugin in Confluence is currently using underscore.js 1.3.1. This is old enough to not be vulnerable to CVE-2021-23358, but it should be using the version provided by Confluence, not its own
The package underscore from 1.13.0-0 and before 1.13.0-2
From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Steps to Reproduce
- Install Confluence 7.13.1 or below
Expected Results
Have Confluence using underscore.js 1.13.1 or higher.
Actual Results
Workbox host plugin in Confluence is using underscore.js 1.3.1.
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
Attachments
Issue Links
- is cloned from
-
CONFSERVER-79464 Mobile web: upgrade Underscore.js to 1.13.1 or higher
- Closed
- mentioned in
-
Page Loading...