CVE-2021-23344 – total.js

Package

Manager: npm
Name: total.js
Vulnerable Version: >=0 <3.4.8

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.06653 pctl0.90843

Details

total.js Remote Code Execution Vulnerability total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application. Affected versions of this package are vulnerable to Remote Code Execution (RCE) via `set`. ### PoC ```js // To be run in a nodejs console: require('total.js/utils').set({}, 'a;eval(`require("child_process")\\x2eexecSync("touch pwned")`);//') ```

Metadata

Created: 2021-03-19T21:32:20Z
Modified: 2023-09-13T20:23:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-3wj8-vp9h-rm6m/GHSA-3wj8-vp9h-rm6m.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-3wj8-vp9h-rm6m
Finding: F422
Auto approve: 1