Description
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Remediation
References
Related Vulnerabilities
WordPress Plugin WP Retina 2x Cross-Site Scripting (5.2.0)
WordPress 4.4.x Multiple Vulnerabilities (4.4 - 4.4.3)
WordPress Plugin WP Debugging Security Bypass (2.10.2)
Drupal Core 8.x.x Multiple Security Bypass Vulnerabilities (8.0.0 - 8.8.12)
WordPress Plugin Relocate Upload 'abspath' Parameter Remote File Include (0.14)