Description

This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.

Remediation

References

https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set

https://github.com/totaljs/framework/blob/master/utils.js%23L6606

https://github.com/totaljs/framework/blob/master/utils.js%23L6617

https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff

https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671

Related Vulnerabilities

CVE-2022-0219 Vulnerability in maven package io.github.skylot:jadx-core

CVE-2022-36886 Vulnerability in maven package org.jenkins-ci.plugins:external-monitor-job

CVE-2023-32731 Vulnerability in maven package io.grpc:grpc-protobuf

CVE-2023-24057 Vulnerability in maven package org.hl7.fhir.publisher:org.hl7.fhir.publisher.core

CVE-2021-4264 Vulnerability in maven package org.webjars.bower:dustjs-linkedin

Severity

Critical

Tags

Broken Link Patch Third Party Advisory Exploit NVD-CWE-Other