Lodash version with security vulnerability

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun	Mon	Tue	Wed	Thu	Fri	Sat
-	9:00 – 13:00	9:00 – 13:00	9:00 – 13:00	9:00 – 13:00	9:00 – 13:00	-
-	14:00 – 18:00	14:00 – 18:00	14:00 – 18:00	14:00 – 18:00	14:00 – 18:00	-

Supporter timezone: Asia/Karachi (GMT+05:00)

Tagged: Types plugin

This topic contains 7 replies, has 2 voices.

Last updated by Waqar 1 year, 2 months ago.

Assisted by: Waqar.

Author

Posts

November 22, 2023 at 3:25 pm #2667245

teamF

I am trying to: A security scan was done on the home page of our website that show a lodash version with vulnerability.

Link to a page where the issue can be seen: hidden link

I expected to see: The latest version of lodash without an security issue

Instead, I got: Shows that toolset types is using an older version with security issues.

November 23, 2023 at 6:36 am #2667451

Waqar

Hi,

Thank you for contacting us and I'd be happy to assist.

Can you please share details about the security scan tool that you used? And is there are report that you can share from your website?

I'll be able to pass this on to the concerned team accordingly.

regards,
Waqar

November 24, 2023 at 1:57 pm #2667863

teamF

Hi Waqar, thank you for the quick response. So while this scan was done by one of our clients, i'm not sure what tool they used. Here is the scan report:
Alert: Insecure Web Frameworks and Libraries
-Lodash version with vulnerability CVE-2019-10744, CVE-2020-8203, CVE-2021-23337
Our devops team did a through checkup since we don't use "Lodash JS" at all. After decent amount of investigation we realized that toolset is using Lodash and it no upto date with the current stable version of lodash. While looking at this can you please confirm what version of lodash is currently being used on the latest version of toolset types?

November 27, 2023 at 9:01 am #2668415

Waqar

Thank you for sharing these details and I've passed these to the concerned team for further review.

The Toolset plugins currently include the version '4.17.11', whereas the latest version is '4.17.15'.

I'll keep you updated through this ticket, as I hear from the development team.

November 27, 2023 at 3:40 pm #2668527

teamF

Thanks for the information Waqar. Seems like the issue exist in lodash version lower than 4.17.12. Here is the reference to the issue: hidden link
So if the minor version could be bumped up one or two version the issue would be fixed.
This is a high priority ticket with a 9.1 severity and i would appreciate if this is escalated quickly.

November 28, 2023 at 9:53 am #2668843

Waqar

Thank you and I've shared this with the escalated ticket as well.

Will keep you updated through this ticket.

February 21, 2024 at 8:10 pm #2684468

teamF

Hi Waqar,

It has been a couple of months and we are getting consistent complaints about this issue from various clients for PCI compliance and security scans. Can you please make provide an update or an ETA so we could provide it to our customers regarding the update? Any information would be helpful.

February 22, 2024 at 6:53 am #2684527

Waqar

Thank you for checking in.

Our preliminary investigations showed that although we shipped a version of lodash (and that version is not current), we didn't used it. We load the version that is bundled with WordPress (which is more current).

Additionally, a fix for this has been included in the latest releases of Toolset Blocks/Views plugins, that were rolled out last week.

Please free to update all Toolset Plugins to the latest version and then run the security scan again.