By admin • February 5, 2024
SXA themes: Themes define the look and feel of a site and can be created separately from the site functionality and content. There are two types of themes: base themes and site themes.
Base Themes are built on top of a set of core, third-party CSS and JavaScript libraries such as jQuery, jQuery UI, Lodash, etc.
Lodash is included as a part of Sitecore Experience Accelerator.
The problem
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
The vulnerability in lodash versions prior to 4.17.21 is described herehttps://nvd.nist.gov/vuln/detail/CVE-2021-23337
These security vulnerabilities were discovered when auditing best practices with Google Lighthouse. Here is an example of Lo-dash vulnerability using Chrome DevTools.
The solution
The official recommended approach would be to upgrade Sitecore to ensure this utilizes the updated library which was tested in 10.2. However the alternative approach is to update lo-dash version in the current Sitecore version.
Fortunately, resolving this issue is fairly simple and straightforward.
- Download the latest lodash (lodash.min.js - as an example can be downloaded from https://github.com/lodash/lodash/releases/tag/4.17.21 or consider downloading it from SXA 10.2)
- Ensure to add the customization at the bottom of the file which SXA performs if this is downloaded from npm/github :
- Upload lodash.min.js to lo-dash item in Sitecore ( /sitecore/media library/Base Themes/Core Libraries/scripts/lo-dash )
- Publish the changes and you are done.
