188 matches found
CVE-2021-23344
The package total.js before 3.4.8 are vulnerable to Remote Code Execution RCE via set...
total.js 代码注入漏洞
Peter Širka Total.js is Peter Širka an open source application. It provides a programming framework. A security vulnerability exists in total.js before 3.4.8, which stems from vulnerability to remote code execution RCE attacks by set...
Command Injection
Overview There is a command injection vulnerability in affected versions of total.js. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because childprocess.spawn is calle...
Remote Code Execution (RCE)
Overview total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application. Affected versions of this package are vulnerable to Remote Code Execution RCE via set. PoC // To...
Total.js < 3.4.7 Multiple Vulnerabilities
Total.js is prone to multiple vulnerabilities. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
GHSA-4449-HG37-77V8 Command injection in total.js
There is a command injection vulnerability that affects the package total.js before version 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because...
@pl-test/c (>=1.1.0 <=1.1.1), @pl-test/e (=1.1.0) +10 more potentially affected by CVE-2020-28494 via total.js (>=1.2.3 <=3.4.13)
total.js NPM version =1.2.3, =1.1.0, =0.1.5, =0.1.0, =4.0.0, =1.0.0, =0.0.1, =0.0.1, =0.0.4 Source cves: CVE-2020-28494 Source advisory: OSV:GHSA-4449-HG37-77V8...
Command injection in total.js
There is a command injection vulnerability that affects the package total.js before version 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because...
Prototype pollution in total.js
There is a prototype pollution vulnerability in the package total.js before version 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impa...
GHSA-6CF8-QHQJ-VJQM Prototype pollution in total.js
There is a prototype pollution vulnerability in the package total.js before version 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impa...
Command Injection in totaljs/framework
Description Command Injection in total.js Proof of Concept 1. Create the following PoC file: // poc.js const total = require'total.js'; let image = Image.load""; let payload = ";touch HACKED;"; image.pipenull,payload; 2. Execute the following commands in terminal: npm i total.js Install affected...
Prototype Pollution
total.js is vulnerable to prototype pollution. The keys of the path being set are not properly sanitized, allowing for injection of arbitrary properties into existing construct prototypes and modification of attributes such as proto, constructor and prototype...
OS Command Injection
total.js is vulnerable to OS command injection. The type parameter is not properly sanitized and validated, and is used to build the command which is subsequently executed using childprocess.spawn...
CVE-2020-28494
This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because childprocess.spawn is called with the option shell set to true an...
CVE-2020-28495
This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some case...
CVE-2020-28495
This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some case...
CVE-2020-28494
This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because childprocess.spawn is called with the option shell set to true an...
Design/Logic Flaw
This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because childprocess.spawn is called with the option shell set to true an...
Design/Logic Flaw
This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some case...
CVE-2020-28494 Command Injection
This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because childprocess.spawn is called with the option shell set to true an...