Description
The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.
Remediation
References
https://hackerone.com/reports/390929
Related Vulnerabilities
CVE-2022-37265 Vulnerability in npm package steal
CVE-2022-24278 Vulnerability in npm package convert-svg-core
CVE-2020-9281 Vulnerability in npm package ckeditor4-dev
CVE-2020-8897 Vulnerability in maven package com.amazonaws:aws-encryption-sdk-java
CVE-2022-36889 Vulnerability in maven package org.jenkins-ci.plugins:deployer-framework