Description

The package total.js before 3.4.9 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.

Related CPE's

a

totaljs

total.js

*

*

*

*

*

node.js

Vulnerable

References

https://github.com/totaljs/framework/blob/master/utils.js%23L6606-L6631

Broken Link

https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3

PatchThird Party Advisory

https://snyk.io/vuln/SNYK-JS-TOTALJS-1088607

ExploitPatchThird Party Advisory

Weaknesses

[email protected]

Primary
CWE-94

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 · Critical

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2021-07-12T16:15:08.953

4 years ago

Last modified

2021-07-14T17:37:10.223

3 years ago