CVE-2021-32831 : Total.js framework (npm package total.js) is a framework for Node.js platfrom wr

Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to code-injection. This can cause a variety of impacts that include arbitrary code execution. This is fixed in version 3.4.9.

Published 2021-08-30 21:15:09

Updated 2021-09-07 19:43:40

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2021-32831

Totaljs » Total.js » For Node.js
Versions before (<) 3.4.9
cpe:2.3:a:totaljs:total.js:*:*:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-32831

EPSS FAQ

0.87%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 73 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-32831

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.5	HIGH	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H	0.8	6.0	GitHub, Inc.
Attack Vector: Local Attack Complexity: High Privileges Required: High User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-32831

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2021-32831

https://www.npmjs.com/package/total.js

total.js - npm
Product;Third Party Advisory
https://github.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txt#L11

framework/changes.txt at e644167d5378afdc45cb0156190349b2c07ef235 · totaljs/framework · GitHub
Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2021-066-totaljs-totaljs/

GHSL-2021-066: DoS and RCE in totaljs | GitHub Security Lab
Exploit;Patch;Third Party Advisory
https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3

Fixed security issue in `U.set()` and `U.get()`. · totaljs/framework@887b0fa · GitHub
Patch;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-32831

Products affected by CVE-2021-32831

Exploit prediction scoring system (EPSS) score for CVE-2021-32831

CVSS scores for CVE-2021-32831

CWE ids for CVE-2021-32831

References for CVE-2021-32831