View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
19493 | Bug reports | Security | public | 2024-03-21 13:57 | 2024-03-21 13:57 |
Reporter | LDBV | Assigned To | |||
Priority | none | Severity | minor | ||
Status | new | Resolution | open | ||
Product Version | 6.4.x | ||||
Summary | 19493: underscore.js 1.8.3 has an Arbitrary Code Injection security vulnerability | ||||
Description | Greetings, we had a Pen-Test for our LimeSurvey V6 Server. The testers have found several critical security problems (we open different bug report tickets). adminsidepanel.js depends on underscore.js (You can find it under the path .../limesurvey/tmp/assets/.../build.min/js). underscore.js 1.8.3 has an Arbitrary Code Injection security vulnerability (https://security.snyk.io/package/npm/underscore/1.8.3). The current version is underscore.js 1.13.6 (solving this security vulnerability). Thanks. | ||||
Tags | No tags attached. | ||||
Bug heat | 250 | ||||
Complete LimeSurvey version number (& build) | both 6.4.6+240212 and 6.5.0+240319 | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | Regardless of the browser | ||||
Database type & version | MySQL 8.0.36 | ||||
Server OS (if known) | SLES 15.5 | ||||
Webserver software & version (if known) | Apache 2.4.51 | ||||
PHP Version | PHP 8.0.30 | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2024-03-21 13:57 | LDBV | New Issue |