### [CVE-2021-23358](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358)
![](https://img.shields.io/static/v1?label=Product&message=underscore&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=1.13.0-0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=1.3.2%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=unspecified%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Arbitrary%20Code%20Injection&color=brightgreen)

### Description

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

### POC

#### Reference
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503
- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/EkamSinghWalia/Detection-script-for-cve-2021-23358
- https://github.com/Ghifari160/splash
- https://github.com/LogicalAlmond/csec302-demo
- https://github.com/MehdiBoukhobza/SandBox_CVE-2021-23358
- https://github.com/amakhu/cdp
- https://github.com/andisfar/LaunchQtCreator
- https://github.com/captcha-n00b/CVEcrystalyer
- https://github.com/dellalibera/dellalibera
- https://github.com/ghifari160/splash
- https://github.com/k1LoW/oshka
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/seal-community/patches