CVE-2020-28495
published 2021-02-02CVE-2020-28495: This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path…
PriorityP344high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
3.63%
88.1th percentile
This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| totaljs | total.js | < 3.4.7 | 3.4.7 |
| totaljs | total.js | >= 0 < 3.4.7 | 3.4.7 |
| totaljs | total.js | >= unspecified < 3.4.7 | 3.4.7 |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Prototype pollution in total.js
ghsa·2021-02-05
CVE-2020-28495 [HIGH] CWE-1321 Prototype pollution in total.js
Prototype pollution in total.js
There is a prototype pollution vulnerability in the package total.js before version 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.
OSV
Prototype pollution in total.js
osv·2021-02-05
CVE-2020-28495 [HIGH] Prototype pollution in total.js
Prototype pollution in total.js
There is a prototype pollution vulnerability in the package total.js before version 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.sethttps://github.com/totaljs/framework/blob/master/utils.js%23L6606https://github.com/totaljs/framework/blob/master/utils.js%23L6617https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ffhttps://snyk.io/vuln/SNYK-JS-TOTALJS-1046671https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.sethttps://github.com/totaljs/framework/blob/master/utils.js%23L6606https://github.com/totaljs/framework/blob/master/utils.js%23L6617https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ffhttps://snyk.io/vuln/SNYK-JS-TOTALJS-1046671
2021-02-02
Published