MidnightBSD

Advisories for dot_project

CVE-2020-7639 MEDIUM

eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.The function 'set' could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1321,

Products Affected

Vendor Product Version
dot_project dot *
CVE-2020-8141 MEDIUM

The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,CWE-94,

Products Affected

Vendor Product Version
dot_project dot 1.1.2