Path Traversal

Affecting total.js package, versions >=3.1.0

Do your applications use this vulnerable package? Test your applications

Overview

total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application.

Affected versions of this package are vulnerable to Path Traversal. An authenticated user with the Pages privilege can conduct a path traversal attack (../) to include .html files that are outside the permitted directory.

Remediation

There is no fixed version for total.js.

References

CVSS Score

9.9
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C
Credit
Riccardo Krauter
CVE
CVE-2019-15952
CWE
CWE-23
Snyk ID
SNYK-JS-TOTALJS-461097
Disclosed
05 Sep, 2019
Published
05 Sep, 2019