Description
The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.
Remediation
References
https://hackerone.com/reports/390929
Related Vulnerabilities
CVE-2021-23354 Vulnerability in npm package printf
CVE-2020-8127 Vulnerability in maven package org.webjars.bowergithub.hakimel:reveal.js
CVE-2021-44667 Vulnerability in maven package com.alibaba.nacos:nacos-common
CVE-2021-32620 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore
CVE-2020-26217 Vulnerability in maven package xstream:xstream