Improper Access Control in total.js

Do your applications use this vulnerable package? Test your applications

Overview

total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application.

Affected versions of this package are vulnerable to Improper Access Control. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The application correctly manages privileges only for the front-end resource path, and not for API requests. This leads to vertical and horizontal privilege escalation.

Remediation

There is no fixed version for total.js.

References

Attack Vector

Network
Attack Complexity

Low
Privileges Required

Low
User Interaction

None
Scope

Changed
Confidentiality

High
Integrity

Low
Availability

None

Credit: Riccardo Krauter
CVE: CVE-2019-15953
CWE: CWE-284
Snyk ID: SNYK-JS-TOTALJS-461096
Disclosed: 05 Sep, 2019
Published: 05 Sep, 2019

Improper Access Control
Affecting total.js package, versions >=3.1.0

Overview

Remediation

References

CVSS Score

Improper Access Control Affecting total.js package, versions >=3.1.0

Overview

Remediation

References

Improper Access Control
Affecting total.js package, versions >=3.1.0