CVE-2021-32831
Code injection in total.js
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to code-injection. This can cause a variety of impacts that include arbitrary code execution. This is fixed in version 3.4.9.
Total.js framework (paquete npm total.js) es un framework para la plataforma Node.js escrito en JavaScript puro similar a Laravel de PHP o Django de Python o ASP.NET MVC. En total.js framework versiones anteriores a 3.4.9, llamar a la función utils.set con valores controlados por el usuario conlleva a una inyección de código. Esto puede causar una variedad de impactos que incluyen una ejecución de código arbitrario. Esto es corregido en versión 3.4.9.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-12 CVE Reserved
- 2021-08-30 CVE Published
- 2024-02-26 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txt#L11 | Third Party Advisory | |
| https://www.npmjs.com/package/total.js | Product |
| URL | Date | SRC |
|---|---|---|
| https://securitylab.github.com/advisories/GHSL-2021-066-totaljs-totaljs | 2024-08-03 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3 | 2021-09-07 |
| URL | Date | SRC |
|---|