[Resolved] Lodash version with security vulnerability

[Author]

Posts

[teamF]

I am trying to: A security scan was done on the home page of our website that show a lodash version with vulnerability.

Link to a page where the issue can be seen: hidden link

I expected to see: The latest version of lodash without an security issue

Instead, I got: Shows that toolset types is using an older version with security issues.

[Waqar Supporter Languages: English (English ) Timezone: Asia/Karachi (GMT+05:00)]

Hi,

Thank you for contacting us and I'd be happy to assist.

Can you please share details about the security scan tool that you used? And is there are report that you can share from your website?

I'll be able to pass this on to the concerned team accordingly.

regards,
Waqar

[teamF]

Hi Waqar, thank you for the quick response. So while this scan was done by one of our clients, i'm not sure what tool they used. Here is the scan report:
Alert: Insecure Web Frameworks and Libraries
-Lodash version with vulnerability CVE-2019-10744, CVE-2020-8203, CVE-2021-23337
Our devops team did a through checkup since we don't use "Lodash JS" at all. After decent amount of investigation we realized that toolset is using Lodash and it no upto date with the current stable version of lodash. While looking at this can you please confirm what version of lodash is currently being used on the latest version of toolset types?

[Waqar Supporter Languages: English (English ) Timezone: Asia/Karachi (GMT+05:00)]

Thank you for sharing these details and I've passed these to the concerned team for further review.

The Toolset plugins currently include the version '4.17.11', whereas the latest version is '4.17.15'.

I'll keep you updated through this ticket, as I hear from the development team.

[teamF]

Thanks for the information Waqar. Seems like the issue exist in lodash version lower than 4.17.12. Here is the reference to the issue: hidden link
So if the minor version could be bumped up one or two version the issue would be fixed.
This is a high priority ticket with a 9.1 severity and i would appreciate if this is escalated quickly.

[Waqar Supporter Languages: English (English ) Timezone: Asia/Karachi (GMT+05:00)]

Thank you and I've shared this with the escalated ticket as well.

Will keep you updated through this ticket.

[teamF]

Hi Waqar,

It has been a couple of months and we are getting consistent complaints about this issue from various clients for PCI compliance and security scans. Can you please make provide an update or an ETA so we could provide it to our customers regarding the update? Any information would be helpful.

[Waqar Supporter Languages: English (English ) Timezone: Asia/Karachi (GMT+05:00)]

Thank you for checking in.

Our preliminary investigations showed that although we shipped a version of lodash (and that version is not current), we didn't used it. We load the version that is bundled with WordPress (which is more current).

Additionally, a fix for this has been included in the latest releases of Toolset Blocks/Views plugins, that were rolled out last week.

Please free to update all Toolset Plugins to the latest version and then run the security scan again.