CVE-2021-23358: 
JavaScript vulnerability analysis and mitigation

CVE-2021-23358 affects the underscore JavaScript library versions 1.13.0-0 to 1.13.0-2 and 1.3.2 to 1.12.1. The vulnerability was discovered in March 2021 and involves an Arbitrary Code Injection vulnerability in the template function, particularly when a variable property is passed as an argument as it is not sanitized (NVD, CVE).

The vulnerability exists in the template function of the underscore library, where the variable option taken from _.templateSettings is not properly sanitized. This allows for arbitrary code injection when a variable property is passed as an argument. The vulnerability has a CVSS score of 7.2 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (Snyk).

Successful exploitation of this vulnerability could lead to arbitrary code execution, potentially resulting in disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (Tenable).

The vulnerability has been fixed in versions 1.13.0-2 and 1.12.1. Users are advised to upgrade to these or later versions. Multiple vendors have released patches, including Debian which fixed the issue in version 1.8.3~dfsg-1+deb9u1 for Debian 9 stretch, and Fedora which released version 1.13.1-1 (Debian, Fedora).