Description

The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.

Remediation

References

https://hackerone.com/reports/390929

Related Vulnerabilities

CVE-2021-34801 Vulnerability in npm package valine

CVE-2022-21227 Vulnerability in npm package sqlite3

CVE-2020-7736 Vulnerability in npm package bmoor

CVE-2020-1714 Vulnerability in maven package org.keycloak:keycloak-common

CVE-2020-2133 Vulnerability in maven package com.applatix.jenkins:applatix

Severity

Critical

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Mitigation Third Party Advisory