Lucene search
K

8 matches found

CVE
CVE
added 2021/02/02 10:25 a.m.113 views

CVE-2020-28494

Summary: CVE-2020-28494 affects the total.js package (before 3.4.7). The vulnerability occurs in the image.pipe and image.stream functions where the type parameter is used to build a command that is executed via child_process.spawn with the option shell: true, and the type value is not properly s...

8.6CVSS8.6AI score0.01702EPSS
CVE
CVE
added 2019/02/18 4:0 p.m.73 views

CVE-2019-8903

Summary: CVE-2019-8903 affects Total.js Platform before 3.2.3 and is a path traversal/LFI issue in index.js. Multiple sources (NVD, Nuclei template, GHSA advisory, OpenVAS, AttackersKB) confirm that insufficient input sanitization in URLs allows an attacker to access files outside the public dire...

7.5CVSS7.3AI score0.72058EPSS
CVE
CVE
added 2021/03/04 4:55 p.m.65 views

CVE-2021-23344

Total.js (package total.js) prior to version 3.4.8 is vulnerable to Remote Code Execution via set, as documented in CVE-2021-23344. The vulnerability affects the total.js component (utils/set path) and is confirmed by multiple sources (NVD entry, OpenVAS NASL, and related advisories) indicating a...

9.8CVSS9.7AI score0.04787EPSS
CVE
CVE
added 2021/08/30 8:40 p.m.63 views

CVE-2021-32831

CVE-2021-32831 affects the Total.js framework (npm package total.js). The vulnerability lies in the utils.set function when receiving user-controlled values, enabling code injection in versions prior to 3.4.9 and potentially leading to arbitrary code execution. The issue is fixed in version 3.4.9...

7.5CVSS7.2AI score0.01466EPSS
CVE
CVE
added 2022/10/29 12:0 a.m.58 views

CVE-2022-44019

Total.js versions prior to 0e5ace7 are vulnerable to remote command execution via shell metacharacters in the host parameter of the /api/common/ping endpoint. The issue is a command-injection flaw in Total.js 4.x pre-0e5ace7, enabling an attacker to execute arbitrary commands remotely. Affected c...

8.8CVSS8.8AI score0.02002EPSS
Web
CVE
CVE
added 2021/07/12 3:15 p.m.55 views

CVE-2021-23389

Total.js prior to 3.4.9 is vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions. The issue, documented across multiple feeds (CVE-2021-23389, GHSA-7FM6-GXQG-2PWR, OSV, SNYK), stems from code in total.js (notably in utilities) that allows execution of arbitrary code. Impact...

9.8CVSS9.6AI score0.03603EPSS
CVE
CVE
added 2021/02/02 10:25 a.m.49 views

CVE-2020-28495

Total.js before 3.4.7 is affected by a prototype pollution vulnerability in the set function, which can set values by path and may alter Object.prototype, enabling DoS, remote code execution, or property injection depending on the application. The remediation is to upgrade Total.js to version 3.4...

7.5CVSS7.4AI score0.03634EPSS
CVE
CVE
added 2025/09/26 2:32 p.m.24 views

CVE-2025-11019

Total.js CMS (up to 19.9.0) has a cross-site scripting vulnerability in the Files Menu component caused by manipulation of an unknown function. The issue can be exploited remotely and an exploit has been disclosed publicly. The connected documents consistently reference Total.js CMS and the Files...

4.8CVSS3.2AI score0.00223EPSS