Invicti Standard identified that the target web site is using Lodash and detected that it is out of date.
ImpactVersions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
External ReferencesLodash Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') VulnerabilityPrototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
External ReferencesLodash Improper Neutralization of Special Elements used in a Command ('Command Injection') VulnerabilityLodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
External ReferencesLodash Other VulnerabilityLodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
External References