GHSA-3q32-j57w-q4w7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3q32-j57w-q4w7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-3q32-j57w-q4w7/GHSA-3q32-j57w-q4w7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3q32-j57w-q4w7
- Aliases
- Published
- 2019-02-20T15:40:13Z
- Modified
- 2023-11-08T04:01:46.309593Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Path Traversal in total.js
- Details
-
Affected versions of
total.jsare vulnerable to Path Traversal. Due to insufficient input sanitization in URLs, attackers can access server files outside the/publicfolder by using relative paths.
The files served are limited to these file types:flac,jpg,jpeg,png,gif,ico,js,css,txt,xml,woff,woff2,otf,ttf,eot,svg,zip,rar,pdf,docx,xlsx,doc,xls,html,htm,appcache,manifest,map,ogv,ogg,mp4,mp3,webp,webm,swf,package,json,md,m4v,jsx,heif,heic.Recommendation
- If you are using version 2.1.x, upgrade to 2.1.1 or later.
- If you are using version 2.2.x, upgrade to 2.2.1 or later.
- If you are using version 2.3.x, upgrade to 2.3.1 or later.
- If you are using version 2.4.x, upgrade to 2.4.1 or later.
- If you are using version 2.5.x, upgrade to 2.5.1 or later.
- If you are using version 2.6.x, upgrade to 2.6.3 or later.
- If you are using version 2.7.x, upgrade to 2.7.1 or later.
- If you are using version 2.8.x, upgrade to 2.8.1 or later.
- If you are using version 2.9.x, upgrade to 2.9.5 or later.
- If you are using version 3.0.x, upgrade to 3.0.1 or later.
- If you are using version 3.1.x, upgrade to 3.1.1 or later.
- If you are using version 3.2.x, upgrade to 3.2.4 or later.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-22" ], "severity": "HIGH", "github_reviewed_at": "2020-06-16T20:55:54Z", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-8903
- https://github.com/totaljs/framework/commit/c37cafbf3e379a98db71c1125533d1e8d5b5aef7
- https://github.com/totaljs/framework/commit/de16238d13848149f5d1dae51f54e397a525932b
- https://blog.certimetergroup.com/it/articolo/security/total.js-directory-traversal-cve-2019-8903
- https://github.com/advisories/GHSA-3q32-j57w-q4w7
- https://github.com/totaljs/framework
- https://www.npmjs.com/advisories/1026
Affected packages
npm / total.js
Package
- Name
- total.js
- View open source insights on deps.dev
- Purl
- pkg:npm/total.js