CVE-2020-8141 – dot

Package

Manager: npm
Name: dot
Vulnerable Version: >=0 <1.1.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01037 pctl0.76559

Details

Improper Control of Generation of Code in doT The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.

Metadata

Created: 2022-05-24T17:11:32Z
Modified: 2022-06-23T06:55:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-297x-8xj4-vcxv/GHSA-297x-8xj4-vcxv.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-297x-8xj4-vcxv
Finding: F422
Auto approve: 1