Description
The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.
Remediation
References
https://hackerone.com/reports/390929
Related Vulnerabilities
CVE-2020-27218 Vulnerability in maven package org.eclipse.jetty:jetty-server
CVE-2022-47042 Vulnerability in maven package net.mingsoft:ms-mcms
CVE-2021-23356 Vulnerability in npm package kill-process-by-name
CVE-2017-1000228 Vulnerability in maven package org.webjars.npm:ejs
CVE-2020-10688 Vulnerability in maven package org.jboss.resteasy:resteasy-core