CVE-2020-8141
Improper Control of Generation of Code in doT
8.8
HIGH
CVSS 3.1
EPSS 1.0%
Description
The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.
How to fix CVE-2020-8141
To remediate CVE-2020-8141, upgrade the affected package to a fixed version below.
- Debian/node-dot—upgrade to 1.1.3+ds-1 or later
- —upgrade to 1.1.3 or later
Is CVE-2020-8141 being exploited?
Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.1.3+ds-1
- from 0, < 1.1.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |