PT-2020-19977 · Node.Js · Dot
Published
2020-03-15
·
Updated
2022-05-24
·
CVE-2020-8141
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
dot package version 1.1.2
Description
The issue concerns the dot package's use of Function() to compile templates, which can be exploited if an attacker can control the given template or the value set on
Object.prototype.Recommendations
For dot package version 1.1.2, consider avoiding the use of user-controlled data in templates to minimize the risk of exploitation. As a temporary workaround, restrict the ability to set values on
Object.prototype until a patch is available.Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dot