{"api_version":"1","generated_at":"2026-04-23T02:15:54+00:00","cve":"CVE-2020-8141","urls":{"html":"https://cve.report/CVE-2020-8141","api":"https://cve.report/api/cve/CVE-2020-8141.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-8141","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-8141"},"summary":{"title":"CVE-2020-8141","description":"The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2020-03-15 18:15:00","updated_at":"2020-03-17 20:07:00"},"problem_types":["CWE-94"],"metrics":[],"references":[{"url":"https://hackerone.com/reports/390929","name":"https://hackerone.com/reports/390929","refsource":"MISC","tags":["Exploit","Mitigation","Third Party Advisory"],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-8141","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8141","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"8141","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"dot_project","cpe5":"dot","cpe6":"1.1.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"8141","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"dot_project","cpe5":"dot","cpe6":"1.1.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-8141","qid":"375626","title":"IBM Cognos Analytics Multiple Vulnerabilities (6451705)"},{"cve":"CVE-2020-8141","qid":"375661","title":"Node.js Dot v1.1.2 Code Injection Vulnerability"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-8141","ASSIGNER":"support@hackerone.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"dot","version":{"version_data":[{"version_value":"1.1.2"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Code Injection (CWE-94)"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://hackerone.com/reports/390929","url":"https://hackerone.com/reports/390929"}]},"description":{"description_data":[{"lang":"eng","value":"The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype."}]}},"nvd":{"publishedDate":"2020-03-15 18:15:00","lastModifiedDate":"2020-03-17 20:07:00","problem_types":["CWE-94"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:dot_project:dot:1.1.2:*:*:*:*:node.js:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"8141","Ordinal":"168478","Title":"CVE-2020-8141","CVE":"CVE-2020-8141","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"8141","Ordinal":"1","NoteData":"The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"8141","Ordinal":"2","NoteData":"2020-03-15","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"8141","Ordinal":"3","NoteData":"2020-03-15","Type":"Other","Title":"Modified"}]}}}