Description
The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.
Remediation
References
https://hackerone.com/reports/390929
Related Vulnerabilities
CVE-2020-5258 Vulnerability in maven package org.webjars:dojo
CVE-2021-23436 Vulnerability in npm package immer
CVE-2018-1000632 Vulnerability in maven package org.dom4j:dom4j
CVE-2021-23463 Vulnerability in maven package com.h2database:h2
CVE-2019-5427 Vulnerability in maven package com.mchange:c3p0