GHSA-4859-gpc7-4j66 – dot

Package

Manager: npm
Name: dot
Vulnerable Version: >=0 <=1.1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Command Injection in dot All versions of dot are vulnerable to Command Injection. The template compilation may execute arbitrary commands if an attacker can inject code in the template or if a Prototype Pollution-like vulnerability can be exploited to alter an Object's prototype.

Metadata

Created: 2019-06-05T21:24:29Z
Modified: 2021-08-04T20:55:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-4859-gpc7-4j66/GHSA-4859-gpc7-4j66.json
CWE IDs: ["CWE-77"]
Alternative ID: N/A
Finding: F422
Auto approve: 1