Path Traversal

2019-06-2814:17:06

Krauter Riccardo

www.npmjs.com

0.013 Low

EPSS

Percentile

85.8%

JSON

Overview

Affected versions of total.js are vulnerable to Path Traversal. Due to insufficient input sanitization in URLs, attackers can access server files outside the /public folder by using relative paths.
The files served are limited to these file types: flac, jpg, jpeg, png, gif, ico, js, css, txt, xml, woff, woff2, otf, ttf, eot, svg, zip, rar, pdf, docx, xlsx, doc, xls, html, htm, appcache, manifest, map, ogv, ogg, mp4, mp3, webp, webm, swf, package, json, md, m4v, jsx, heif, heic.

Recommendation

If you are using version 2.1.x, upgrade to 2.1.1 or later.
If you are using version 2.2.x, upgrade to 2.2.1 or later.
If you are using version 2.3.x, upgrade to 2.3.1 or later.
If you are using version 2.4.x, upgrade to 2.4.1 or later.
If you are using version 2.5.x, upgrade to 2.5.1 or later.
If you are using version 2.6.x, upgrade to 2.6.3 or later.
If you are using version 2.7.x, upgrade to 2.7.1 or later.
If you are using version 2.8.x, upgrade to 2.8.1 or later.
If you are using version 2.9.x, upgrade to 2.9.5 or later.
If you are using version 3.0.x, upgrade to 3.0.1 or later.
If you are using version 3.1.x, upgrade to 3.1.1 or later.
If you are using version 3.2.x, upgrade to 3.2.4 or later.

References

GitHub Advisory

CPENameOperatorVersion
total.jslt2.1.1 || >=2.2.0 <2.2.1 || >=2.3.0 <2.3.1 || >=2.4.0 <2.4.1 || >=2.5.0 <2.5.1 || >=2.6.0 <2.6.3 || >=2.7.0 <2.7.1 || >=2.8.0 <2.8.1 || >=2.9.0 <2.9.5 || >=3.0.0 <3.0.1 || >=3.1.0 <3.1.1 || >=3.2.0 <3.2.4

CPE	Name	Operator	Version
	total.js	lt	2.1.1 \|\| >=2.2.0 <2.2.1 \|\| >=2.3.0 <2.3.1 \|\| >=2.4.0 <2.4.1 \|\| >=2.5.0 <2.5.1 \|\| >=2.6.0 <2.6.3 \|\| >=2.7.0 <2.7.1 \|\| >=2.8.0 <2.8.1 \|\| >=2.9.0 <2.9.5 \|\| >=3.0.0 <3.0.1 \|\| >=3.1.0 <3.1.1 \|\| >=3.2.0 <3.2.4

0.013 Low

EPSS

Percentile

85.8%

JSON

Related for NODEJS:1026