CVE Vulnerability

CVE-2021-32831

Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to code-injection. This can cause a variety of impacts that include arbitrary code execution. This is fixed in version 3.4.9.

6.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

7.2 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.npmjs.com/package/total.js Product Third Party Advisory
https://github.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txt#L11 Third Party Advisory
https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3 Patch Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2021-066-totaljs-totaljs/ Exploit Patch
Configurations

Configuration 1

cpe:2.3:a:totaljs:total.js:*:*:*:*:*:node.js:*:*
Information

Published : 2021-08-30 09:15

Updated : 2021-09-07 07:43

NVD link : CVE-2021-32831

Mitre link : CVE-2021-32831

Products Affected
No products.
CWE
CWE-94