CVE-2021-21316

Name of the Vulnerable Software and Affected Versions less-openui5 versions prior to 0.10.0

Description The issue arises when processing theming resources, such as *.less files, with less-openui5 that originate from an untrusted source. These resources might contain JavaScript code that will be executed in the context of the build process. This behavior is a feature of the Less.js library but is unexpected in the context of OpenUI5 and SAPUI5 development. An attacker could create a library or theme-library with malicious JavaScript code in one of the .less files. Starting with Less.js version 3.0.0, the Inline JavaScript feature is disabled by default, but less-openui5 uses a fork of Less.js v1.6.3. Disabling the Inline JavaScript feature in Less.js versions 1.x still evaluates code with additional double codes around it.

Recommendations For versions prior to 0.10.0, update to version 0.10.0 or later to remove the inline JavaScript evaluation feature completely from the code of the Less.js fork. As a temporary workaround, consider only processing trusted theming resources until the issue is resolved.