CVE-2021-32831 - OpenCVE

Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to code-injection. This can cause a variety of impacts that include arbitrary code execution. This is fixed in version 3.4.9.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Totaljs	Total.js

Configuration 1 [-]

cpe:2.3:a:totaljs:total.js:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txt#L11
https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3
https://securitylab.github.com/advisories/GHSL-2021-066-totaljs-totaljs/
https://www.npmjs.com/package/total.js

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-08-30T20:40:21

Updated: 2024-08-03T23:33:56.088Z

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32831

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-08-30T21:15:09.287

Modified: 2021-09-07T19:43:39.873

Link: CVE-2021-32831

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "framework", "vendor": "totaljs", "versions": [{"status": "affected", "version": "< 3.4.9"}]}], "descriptions": [{"lang": "en", "value": "Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to code-injection. This can cause a variety of impacts that include arbitrary code execution. This is fixed in version 3.4.9."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-30T20:40:21", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2021-066-totaljs-totaljs/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txt#L11"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/total.js"}], "source": {"advisory": "GHSL-2021-066", "discovery": "INTERNAL"}, "title": "Code injection in total.js", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32831", "STATE": "PUBLIC", "TITLE": "Code injection in total.js"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "framework", "version": {"version_data": [{"version_value": "< 3.4.9"}]}}]}, "vendor_name": "totaljs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to code-injection. This can cause a variety of impacts that include arbitrary code execution. This is fixed in version 3.4.9."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3", "refsource": "MISC", "url": "https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3"}, {"name": "https://securitylab.github.com/advisories/GHSL-2021-066-totaljs-totaljs/", "refsource": "CONFIRM", "url": "https://securitylab.github.com/advisories/GHSL-2021-066-totaljs-totaljs/"}, {"name": "https://github.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txt#L11", "refsource": "MISC", "url": "https://github.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txt#L11"}, {"name": "https://www.npmjs.com/package/total.js", "refsource": "MISC", "url": "https://www.npmjs.com/package/total.js"}]}, "source": {"advisory": "GHSL-2021-066", "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:56.088Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2021-066-totaljs-totaljs/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txt#L11"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/total.js"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32831", "datePublished": "2021-08-30T20:40:21", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:33:56.088Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:totaljs:total.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "2B79850C-DAE5-4522-A2D6-9C672463D052", "versionEndExcluding": "3.4.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to code-injection. This can cause a variety of impacts that include arbitrary code execution. This is fixed in version 3.4.9."}, {"lang": "es", "value": "Total.js framework (paquete npm total.js) es un framework para la plataforma Node.js escrito en JavaScript puro similar a Laravel de PHP o Django de Python o ASP.NET MVC. En total.js framework versiones anteriores a 3.4.9, llamar a la funci\u00f3n utils.set con valores controlados por el usuario conlleva a una inyecci\u00f3n de c\u00f3digo. Esto puede causar una variedad de impactos que incluyen una ejecuci\u00f3n de c\u00f3digo arbitrario. Esto es corregido en versi\u00f3n 3.4.9."}], "id": "CVE-2021-32831", "lastModified": "2021-09-07T19:43:39.873", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-08-30T21:15:09.287", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txt#L11"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2021-066-totaljs-totaljs/"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://www.npmjs.com/package/total.js"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}