Lucene search
K

188 matches found

ATTACKERKB
ATTACKERKB
added 2021/03/04 4:52 p.m.0 views

CVE-2021-23344

The package total.js before 3.4.8 are vulnerable to Remote Code Execution RCE via set...

9.8CVSS5.5AI score0.04787EPSS
Exploits1References3
CNNVD
CNNVD
added 2021/03/04 12:0 a.m.7 views

total.js 代码注入漏洞

Peter Širka Total.js is Peter Širka an open source application. It provides a programming framework. A security vulnerability exists in total.js before 3.4.8, which stems from vulnerability to remote code execution RCE attacks by set...

9.8CVSS9AI score0.04787EPSS
Exploits1References2
Node.js
Node.js
added 2021/02/23 2:24 a.m.211 views

Command Injection

Overview There is a command injection vulnerability in affected versions of total.js. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because childprocess.spawn is calle...

7.5CVSS8.7AI score0.01702EPSS
Exploits1Affected Software1
Snyk
Snyk
added 2021/02/19 4:12 p.m.3 views

Remote Code Execution (RCE)

Overview total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application. Affected versions of this package are vulnerable to Remote Code Execution RCE via set. PoC // To...

9.8CVSS7.3AI score0.04787EPSS
Exploits1References2
OpenVAS
OpenVAS
added 2021/02/08 12:0 a.m.13 views

Total.js < 3.4.7 Multiple Vulnerabilities

Total.js is prone to multiple vulnerabilities. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

8.6CVSS7.9AI score0.03634EPSS
Exploits2References4
OSV
OSV
added 2021/02/05 8:43 p.m.15 views

GHSA-4449-HG37-77V8 Command injection in total.js

There is a command injection vulnerability that affects the package total.js before version 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because...

8.6CVSS8.7AI score0.01702EPSS
Exploits1References4
vulnersOsv
vulnersOsv
added 2021/02/05 8:43 p.m.6 views

@pl-test/c (>=1.1.0 <=1.1.1), @pl-test/e (=1.1.0) +10 more potentially affected by CVE-2020-28494 via total.js (>=1.2.3 <=3.4.13)

total.js NPM version =1.2.3, =1.1.0, =0.1.5, =0.1.0, =4.0.0, =1.0.0, =0.0.1, =0.0.1, =0.0.4 Source cves: CVE-2020-28494 Source advisory: OSV:GHSA-4449-HG37-77V8...

8.6CVSS7.2AI score0.01702EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2021/02/05 8:43 p.m.120 views

Command injection in total.js

There is a command injection vulnerability that affects the package total.js before version 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because...

8.6CVSS8.8AI score0.01702EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2021/02/05 8:43 p.m.48 views

Prototype pollution in total.js

There is a prototype pollution vulnerability in the package total.js before version 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impa...

7.5CVSS7.3AI score0.03634EPSS
Exploits1References8Affected Software1
OSV
OSV
added 2021/02/05 8:43 p.m.13 views

GHSA-6CF8-QHQJ-VJQM Prototype pollution in total.js

There is a prototype pollution vulnerability in the package total.js before version 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impa...

7.3CVSS7.5AI score0.03634EPSS
Exploits1References7
Huntr
Huntr
added 2021/02/04 12:0 a.m.6 views

Command Injection in totaljs/framework

Description Command Injection in total.js Proof of Concept 1. Create the following PoC file: // poc.js const total = require'total.js'; let image = Image.load""; let payload = ";touch HACKED;"; image.pipenull,payload; 2. Execute the following commands in terminal: npm i total.js Install affected...

1.2AI score
Exploits0
Veracode
Veracode
added 2021/02/03 7:21 a.m.12 views

Prototype Pollution

total.js is vulnerable to prototype pollution. The keys of the path being set are not properly sanitized, allowing for injection of arbitrary properties into existing construct prototypes and modification of attributes such as proto, constructor and prototype...

7.3CVSS4.3AI score0.03634EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2021/02/03 5:11 a.m.12 views

OS Command Injection

total.js is vulnerable to OS command injection. The type parameter is not properly sanitized and validated, and is used to build the command which is subsequently executed using childprocess.spawn...

8.6CVSS3.1AI score0.01702EPSS
Exploits1References1Affected Software1
NVD
NVD
added 2021/02/02 11:15 a.m.17 views

CVE-2020-28494

This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because childprocess.spawn is called with the option shell set to true an...

8.6CVSS0.01702EPSS
Exploits1References2
NVD
NVD
added 2021/02/02 11:15 a.m.21 views

CVE-2020-28495

This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some case...

7.5CVSS0.03634EPSS
Exploits1References5
OSV
OSV
added 2021/02/02 11:15 a.m.14 views

CVE-2020-28495

This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some case...

7.3CVSS7.4AI score
Exploits0References5
OSV
OSV
added 2021/02/02 11:15 a.m.19 views

CVE-2020-28494

This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because childprocess.spawn is called with the option shell set to true an...

8.6CVSS6.8AI score
Exploits0References2
Prion
Prion
added 2021/02/02 11:15 a.m.14 views

Design/Logic Flaw

This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because childprocess.spawn is called with the option shell set to true an...

7.5CVSS8.6AI score0.01702EPSS
Exploits1References2Affected Software1
Prion
Prion
added 2021/02/02 11:15 a.m.10 views

Design/Logic Flaw

This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some case...

7.5CVSS7.4AI score0.03634EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2021/02/02 10:25 a.m.20 views

CVE-2020-28494 Command Injection

This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because childprocess.spawn is called with the option shell set to true an...

8.6CVSS8.7AI score0.01702EPSS
Exploits1References2
Rows per page
Query Builder