[Resolved] Lodash version with security vulnerability
This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.
Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.
No supporters are available to work today on Toolset forum. Feel free to create tickets and we will handle it as soon as we are online. Thank you for your understanding.
Hi Waqar, thank you for the quick response. So while this scan was done by one of our clients, i'm not sure what tool they used. Here is the scan report:
Alert: Insecure Web Frameworks and Libraries
-Lodash version with vulnerability CVE-2019-10744, CVE-2020-8203, CVE-2021-23337
Our devops team did a through checkup since we don't use "Lodash JS" at all. After decent amount of investigation we realized that toolset is using Lodash and it no upto date with the current stable version of lodash. While looking at this can you please confirm what version of lodash is currently being used on the latest version of toolset types?
Thanks for the information Waqar. Seems like the issue exist in lodash version lower than 4.17.12. Here is the reference to the issue: hidden link
So if the minor version could be bumped up one or two version the issue would be fixed.
This is a high priority ticket with a 9.1 severity and i would appreciate if this is escalated quickly.
It has been a couple of months and we are getting consistent complaints about this issue from various clients for PCI compliance and security scans. Can you please make provide an update or an ETA so we could provide it to our customers regarding the update? Any information would be helpful.
Our preliminary investigations showed that although we shipped a version of lodash (and that version is not current), we didn't used it. We load the version that is bundled with WordPress (which is more current).
Additionally, a fix for this has been included in the latest releases of Toolset Blocks/Views plugins, that were rolled out last week.
Please free to update all Toolset Plugins to the latest version and then run the security scan again.
This ticket is now closed. If you're a WPML client and need related help, please open a new support ticket.