Description
The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.
Remediation
References
https://hackerone.com/reports/390929
Related Vulnerabilities
CVE-2021-40690 Vulnerability in maven package org.apache.santuario:xmlsec
CVE-2022-41249 Vulnerability in maven package com.meowlomo.jenkins:scm-httpclient
CVE-2022-24891 Vulnerability in maven package org.owasp.esapi:esapi
CVE-2020-7702 Vulnerability in npm package templ8
CVE-2020-28502 Vulnerability in npm package xmlhttprequest-ssl