CVE-2020-28494 – total.js

Package

Manager: npm
Name: total.js
Vulnerable Version: >=0 <3.4.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.01199 pctl0.78115

Details

Command injection in total.js There is a command injection vulnerability that affects the package total.js before version 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using child_process.spawn. The issue occurs because child_process.spawn is called with the option shell set to true and because the type parameter is not properly sanitized.

Metadata

Created: 2021-02-05T20:43:27Z
Modified: 2021-07-28T18:57:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-4449-hg37-77v8/GHSA-4449-hg37-77v8.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-4449-hg37-77v8
Finding: F404
Auto approve: 1