Description
The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.
Remediation
References
https://hackerone.com/reports/390929
Related Vulnerabilities
CVE-2022-31147 Vulnerability in maven package org.webjars.npm:jquery-validation
CVE-2020-36381 Vulnerability in npm package aaptjs
CVE-2020-12642 Vulnerability in maven package com.epam.reportportal:service-api
CVE-2021-3749 Vulnerability in npm package axios
CVE-2022-31147 Vulnerability in maven package org.webjars.bower:jquery-validation