Improper Authentication

Affecting total.js package, versions >=3.1.0

Do your applications use this vulnerable package? Test your applications

Overview

total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application.

Affected versions of this package are vulnerable to Improper Authentication via cookie enumeration. A low privilege user can perform a simple transformation of a cookie to obtain the random values inside it. If an attacker can discover a session cookie owned by an admin, then it is possible to brute force it with O(n)=2n instead of O(n)=n^x complexity, and steal the admin password.

Remediation

There is no fixed version for total.js.

References

CVSS Score

8.0
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C
Credit
Riccardo Krauter
CVE
CVE-2019-15955
CWE
CWE-287
Snyk ID
SNYK-JS-TOTALJS-461098
Disclosed
05 Sep, 2019
Published
05 Sep, 2019