Description

This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.

Remediation

References

https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set

https://github.com/totaljs/framework/blob/master/utils.js%23L6606

https://github.com/totaljs/framework/blob/master/utils.js%23L6617

https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff

https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671

Related Vulnerabilities

CVE-2021-28165 Vulnerability in maven package org.eclipse.jetty:jetty-io

CVE-2023-43123 Vulnerability in maven package org.apache.storm:storm-core

CVE-2021-39132 Vulnerability in maven package org.rundeck:rundeck-core

CVE-2021-35516 Vulnerability in maven package org.apache.commons:commons-compress

CVE-2020-26234 Vulnerability in maven package org.opencastproject:opencast-kernel

Severity

Critical

Tags

Broken Link Patch Third Party Advisory Exploit NVD-CWE-Other