Description
The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.
Remediation
References
https://hackerone.com/reports/390929
Related Vulnerabilities
CVE-2020-13942 Vulnerability in maven package org.apache.unomi:unomi-persistence-elasticsearch-core
CVE-2022-39387 Vulnerability in maven package org.xwiki.contrib.oidc:oidc-authenticator
CVE-2020-17530 Vulnerability in maven package org.apache.struts:struts2-core
CVE-2022-0272 Vulnerability in maven package io.gitlab.arturbosch.detekt:detekt-core
CVE-2021-38294 Vulnerability in maven package org.apache.storm:storm-server