CVE-2020-28495

Опубликовано: 02 фев. 2021

Источник: nvd

CVSS3: 7.3

CVSS2: 7.5

EPSS Низкий

Описание

This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.

Ссылки

https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set
Broken Link
https://github.com/totaljs/framework/blob/master/utils.js%23L6606
Broken Link
https://github.com/totaljs/framework/blob/master/utils.js%23L6617
Broken Link
https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671
Exploit
Patch
Third Party Advisory
https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set
Broken Link
https://github.com/totaljs/framework/blob/master/utils.js%23L6606
Broken Link
https://github.com/totaljs/framework/blob/master/utils.js%23L6617
Broken Link
https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:totaljs:total.js:*:*:*:*:*:node.js:*:*

Версия до 3.4.7 (исключая)

EPSS

Процентиль: 91%

0.06091

Низкий

7.3 High

CVSS3

7.5 High

CVSS2

Дефекты

NVD-CWE-Other

Связанные уязвимости

GHSA-6cf8-qhqj-vjqm