CVE-2020-28494

Source
https://cve.org/CVERecord?id=CVE-2020-28494
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28494.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-28494
Aliases
Published
2021-02-02T11:15:13.067Z
Modified
2026-07-08T06:00:26.149350539Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
Summary
[none]
Details

This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because childprocess.spawn is called with the option shell set to true and because the type parameter is not properly sanitized.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "CPE_RANGE",
            "vendor_product": "totaljs:total.js",
            "extracted_events": [
                {
                    "fixed": "3.4.7"
                },
                {
                    "fixed": "3.4.7"
                },
                {
                    "fixed": "3.4.7"
                }
            ],
            "cpes": [
                "cpe:2.3:a:totaljs:total.js:*:*:*:*:*:node.js:*:*"
            ]
        },
        {
            "source": "DESCRIPTION",
            "extracted_events": [
                {
                    "introduced": "total.js"
                },
                {
                    "fixed": "3.4.7"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/totaljs/framework

Affected ranges

Type
GIT
Repo
https://github.com/totaljs/framework
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.0.2
v1.1.0
v1.2.0
v1.2.3
v1.2.3-1
v1.2.4
v1.3.0
v1.3.1
v1.4.0
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.1
v1.6.3
v1.7.0
v1.7.1
v1.7.2
v1.8.0
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v1.9.7
v1.9.8
v2.*
v2.0.0
v2.0.1
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.8.0
v2.9.0
v2.9.1
v2.9.2
v2.9.3
v2.9.4
v3.*
v3.0.0
v3.1.0
v3.2.0
v3.3.0
v3.3.1
v3.3.2
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.4.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28494.json"