CVE-2019-10793: 
JavaScript vulnerability analysis and mitigation

dot-object before version 2.1.3 is vulnerable to Prototype Pollution. The vulnerability was discovered in February 2020 and assigned CVE-2019-10793. The set function could be tricked into adding or modifying properties of Object.prototype using a proto payload (NVD, Snyk).

The vulnerability exists in the set function of dot-object package, which fails to properly validate user input, allowing an attacker to manipulate the Object.prototype. The vulnerability has a CVSS v3.1 base score of 6.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. The issue was discovered by JHU System Security Lab (Snyk).

Successful exploitation of this vulnerability could allow an attacker to modify properties within the global prototype chain, potentially leading to denial of service (DoS) at minimum. The vulnerability affects the confidentiality, integrity, and availability of the application with low impact on each aspect (Snyk).

The vulnerability has been fixed in version 2.1.3 of dot-object. Users should upgrade to this version or higher to mitigate the risk. The fix includes implementing a blacklist of dangerous attributes including 'proto', 'prototype', and 'constructor' (GitHub Patch).