The package total.js before 3.4.9 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.
References
Link | Resource |
---|---|
https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3 | Patch Third Party Advisory |
https://github.com/totaljs/framework/blob/master/utils.js%23L6606-L6631 | Broken Link |
https://snyk.io/vuln/SNYK-JS-TOTALJS-1088607 | Exploit Patch Third Party Advisory |
Configurations
Information
Published : 2021-07-12 09:15
Updated : 2021-07-14 10:37
NVD link : CVE-2021-23389
Mitre link : CVE-2021-23389
JSON object : View
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')
Products Affected
totaljs
- total.js