GHSA-6cf8-qhqj-vjqm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6cf8-qhqj-vjqm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-6cf8-qhqj-vjqm/GHSA-6cf8-qhqj-vjqm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6cf8-qhqj-vjqm
- Aliases
- Published
- 2021-02-05T20:43:19Z
- Modified
- 2025-01-14T08:57:29.855718Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- Prototype pollution in total.js
- Details
-
There is a prototype pollution vulnerability in the package total.js before version 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.
- Database specific
{ "github_reviewed_at": "2021-02-03T07:46:44Z", "severity": "HIGH", "cwe_ids": [ "CWE-1321", "CWE-400" ], "github_reviewed": true, "nvd_published_at": "2021-02-02T11:15:00Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-28495
- https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff
- https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set
- https://github.com/totaljs/framework/blob/master/utils.js%23L6606
- https://github.com/totaljs/framework/blob/master/utils.js%23L6617
- https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671
- https://www.npmjs.com/package/total.js
Affected packages
npm / total.js
Package
- Name
- total.js
- View open source insights on deps.dev
- Purl
- pkg:npm/total.js