Element UI using lodash 4.17.10 has at least 3 CVE Security Issue #23120
Description
Element Ui using utils/lodash.js 4.17.10 is too low that may cause CVE issue.
We cannot find this file update in latest version 2.15.14.
Lodash Allocation of Resources Without Limits orThrottling Vulnerability version>=4.17.11
https://nvd.nist.gov/vuln/detail/CVE-2019-1010266
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service.The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts tomatch using a regular expression. The fixed version is: 4.17.11.
Lodash CVE-2018-16487 Vulnerability version>=4.17.11
https://nvd.nist.gov/vuln/detail/CVE-2018-16487
CVE-2018-16487 Detail
This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes.
Description
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Lodash Other Vulnerability version>=4.17.21
https://nvd.nist.gov/vuln/detail/CVE-2020-28500
CVE-2020-28500 Detail
This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes.
Description
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.