Vulnerability Details : CVE-2020-28495
This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.
Vulnerability category: Execute codeDenial of service
Products affected by CVE-2020-28495
- cpe:2.3:a:totaljs:total.js:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-28495
0.62%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 79 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-28495
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
7.3
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
3.9
|
3.4
|
Snyk |
References for CVE-2020-28495
-
https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff
Fixed `U.set()` by adding check for `Prototype pollution`. · totaljs/framework@b3f9015 · GitHubPatch;Third Party Advisory
-
https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671
Prototype Pollution in total.js | SnykExploit;Patch;Third Party Advisory
-
https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set
404: Not FoundBroken Link
-
https://github.com/totaljs/framework/blob/master/utils.js%23L6617
Page not found · GitHub · GitHubBroken Link
-
https://github.com/totaljs/framework/blob/master/utils.js%23L6606
Page not found · GitHub · GitHubBroken Link
Jump to