Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ4NTktZ3BjNy00ajY2
Command Injection in dot
All versions of dot are vulnerable to Command Injection. The template compilation may execute arbitrary commands if an attacker can inject code in the template or if a Prototype Pollution-like vulnerability can be exploited to alter an Object's prototype.
Permalink: https://github.com/advisories/GHSA-4859-gpc7-4j66JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ4NTktZ3BjNy00ajY2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago
Identifiers: GHSA-4859-gpc7-4j66
References:
- https://hackerone.com/reports/390929
- https://www.npmjs.com/advisories/798
- https://github.com/advisories/GHSA-4859-gpc7-4j66
Affected Packages
npm:dot
Dependent packages: 720Dependent repositories: 72,096
Downloads: 2,002,717 last month
Affected Version Ranges: <= 1.1.2
No known fixed version
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2