8 matches found
CVE-2020-28494
Summary: CVE-2020-28494 affects the total.js package (before 3.4.7). The vulnerability occurs in the image.pipe and image.stream functions where the type parameter is used to build a command that is executed via child_process.spawn with the option shell: true, and the type value is not properly s...
CVE-2019-8903
Summary: CVE-2019-8903 affects Total.js Platform before 3.2.3 and is a path traversal/LFI issue in index.js. Multiple sources (NVD, Nuclei template, GHSA advisory, OpenVAS, AttackersKB) confirm that insufficient input sanitization in URLs allows an attacker to access files outside the public dire...
CVE-2021-23344
Total.js (package total.js) prior to version 3.4.8 is vulnerable to Remote Code Execution via set, as documented in CVE-2021-23344. The vulnerability affects the total.js component (utils/set path) and is confirmed by multiple sources (NVD entry, OpenVAS NASL, and related advisories) indicating a...
CVE-2021-32831
CVE-2021-32831 affects the Total.js framework (npm package total.js). The vulnerability lies in the utils.set function when receiving user-controlled values, enabling code injection in versions prior to 3.4.9 and potentially leading to arbitrary code execution. The issue is fixed in version 3.4.9...
CVE-2022-44019
Total.js versions prior to 0e5ace7 are vulnerable to remote command execution via shell metacharacters in the host parameter of the /api/common/ping endpoint. The issue is a command-injection flaw in Total.js 4.x pre-0e5ace7, enabling an attacker to execute arbitrary commands remotely. Affected c...
CVE-2021-23389
Total.js prior to 3.4.9 is vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions. The issue, documented across multiple feeds (CVE-2021-23389, GHSA-7FM6-GXQG-2PWR, OSV, SNYK), stems from code in total.js (notably in utilities) that allows execution of arbitrary code. Impact...
CVE-2020-28495
Total.js before 3.4.7 is affected by a prototype pollution vulnerability in the set function, which can set values by path and may alter Object.prototype, enabling DoS, remote code execution, or property injection depending on the application. The remediation is to upgrade Total.js to version 3.4...
CVE-2025-11019
Total.js CMS (up to 19.9.0) has a cross-site scripting vulnerability in the Files Menu component caused by manipulation of an unknown function. The issue can be exploited remotely and an exploit has been disclosed publicly. The connected documents consistently reference Total.js CMS and the Files...