Vulnerability Description
This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Totaljs | Total.Js | < 3.4.7 |
References
- https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.setBroken Link
- https://github.com/totaljs/framework/blob/master/utils.js%23L6606Broken Link
- https://github.com/totaljs/framework/blob/master/utils.js%23L6617Broken Link
- https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7aPatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671ExploitPatchThird Party Advisory
- https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.setBroken Link
- https://github.com/totaljs/framework/blob/master/utils.js%23L6606Broken Link
- https://github.com/totaljs/framework/blob/master/utils.js%23L6617Broken Link
- https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7aPatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671ExploitPatchThird Party Advisory
FAQ
What is CVE-2020-28495?
CVE-2020-28495 is a vulnerability with a CVSS score of 7.3 (HIGH). This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, le...
How severe is CVE-2020-28495?
CVE-2020-28495 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-28495?
Check the references section above for vendor advisories and patch information. Affected products include: Totaljs Total.Js.