Directory Traversal

Affecting total.js package, versions <3.3.3

Do your applications use this vulnerable package? Test your applications

Overview

total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application.

Affected versions of this package are vulnerable to Directory Traversal due to req.uri.pathname not being validated within total.js framework.

Remediation

A fix was pushed into the master branch but not yet published.

References

CVSS Score

5.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Credit
Unknown
CWE
CWE-22
Snyk ID
SNYK-JS-TOTALJS-537824
Disclosed
13 Dec, 2019
Published
09 Jan, 2020