CVE-2020-28495

Published: Feb 2, 2021Modified: Nov 21, 2024

7.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Exploitability: 3.9 / Impact: 3.4

Source: report@snyk.io (Secondary)

Description

This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.

Affected (1)

Products: Totaljs: Total.js

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Totaljs Total.js	Before 3.4.7

References (10)

https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set

Source: report@snyk.io

Broken Link

https://github.com/totaljs/framework/blob/master/utils.js%23L6606

Source: report@snyk.io

Broken Link

https://github.com/totaljs/framework/blob/master/utils.js%23L6617

Source: report@snyk.io

Broken Link

https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff

Source: report@snyk.io

PatchThird Party Advisory

https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671

Source: report@snyk.io

ExploitPatchThird Party Advisory

https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://github.com/totaljs/framework/blob/master/utils.js%23L6606

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://github.com/totaljs/framework/blob/master/utils.js%23L6617

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.