This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.
References
Link | Resource |
---|---|
https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set | Broken Link |
https://github.com/totaljs/framework/blob/master/utils.js%23L6606 | Broken Link |
https://github.com/totaljs/framework/blob/master/utils.js%23L6617 | Broken Link |
https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff | Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671 | Exploit Patch Third Party Advisory |
Configurations
History
05 Feb 2021, 16:53
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:totaljs:total.js:*:*:*:*:*:node.js:*:* | |
References | (MISC) https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671 - Exploit, Patch, Third Party Advisory | |
References | (MISC) https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff - Patch, Third Party Advisory | |
References | (MISC) https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set - Broken Link | |
References | (MISC) https://github.com/totaljs/framework/blob/master/utils.js%23L6606 - Broken Link | |
References | (MISC) https://github.com/totaljs/framework/blob/master/utils.js%23L6617 - Broken Link | |
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 7.3 |
CWE | NVD-CWE-Other |
02 Feb 2021, 11:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-02-02 11:15
Updated : 2023-12-10 13:41
NVD link : CVE-2020-28495
Mitre link : CVE-2020-28495
CVE.ORG link : CVE-2020-28495
JSON object : View
Products Affected
totaljs
- total.js
CWE