Vulnerabilities > CVE-2020-28495 - Unspecified vulnerability in Totaljs Total.Js
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.
Vulnerable Configurations
References
- https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set
- https://github.com/totaljs/framework/blob/master/utils.js%23L6606
- https://github.com/totaljs/framework/blob/master/utils.js%23L6617
- https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff
- https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671