Matz3

**Name of the Vulnerable Software and Affected Versions** less-openui5 versions prior to 0.10.0 **Description** The issue arises when processing theming resources, such as `*.less` files, with less-openui5 that originate from an untrusted source. These resources might contain JavaScript code that will be executed in the context of the build process. This behavior is a feature of the Less.js library but is unexpected in the context of OpenUI5 and SAPUI5 development. An attacker could create a library or theme-library with malicious JavaScript code in one of the `.less` files. Starting with Less.js version 3.0.0, the Inline JavaScript feature is disabled by default, but less-openui5 uses a fork of Less.js v1.6.3. Disabling the Inline JavaScript feature in Less.js versions 1.x still evaluates code with additional double codes around it. **Recommendations** For versions prior to 0.10.0, update to version 0.10.0 or later to remove the inline JavaScript evaluation feature completely from the code of the Less.js fork. As a temporary workaround, consider only processing trusted theming resources until the issue is resolved.