Improper Access Control

Affecting total.js package, versions >=3.1.0

Do your applications use this vulnerable package? Test your applications

Overview

total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application.

Affected versions of this package are vulnerable to Improper Access Control. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The application correctly manages privileges only for the front-end resource path, and not for API requests. This leads to vertical and horizontal privilege escalation.

Remediation

There is no fixed version for total.js.

References

CVSS Score

8.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N/E:F/RL:U/RC:C
Credit
Riccardo Krauter
CVE
CVE-2019-15953
CWE
CWE-284
Snyk ID
SNYK-JS-TOTALJS-461096
Disclosed
05 Sep, 2019
Published
05 Sep, 2019