CVE-2020-8141

Published: Mar 15, 2020Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.

Affected (1)

Products: Dot Project: Dot

Dot Project

1 product

Dot

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dot Project Dot	Version 1.1.2

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://hackerone.com/reports/390929

Source: support@hackerone.com

ExploitMitigationThird Party Advisory

https://hackerone.com/reports/390929

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationThird Party Advisory

Timeline

No history available yet.