CVE-2019-8903
Path Traversal in total.js
Description
Affected versions of `total.js` are vulnerable to Path Traversal. Due to insufficient input sanitization in URLs, attackers can access server files outside the `/public` folder by using relative paths. The files served are limited to these file types: `flac`, `jpg`, `jpeg`, `png`, `gif`, `ico`, `js`, `css`, `txt`, `xml`, `woff`, `woff2`, `otf`, `ttf`, `eot`, `svg`, `zip`, `rar`, `pdf`, `docx`, `xlsx`, `doc`, `xls`, `html`, `htm`, `appcache`, `manifest`, `map`, `ogv`, `ogg`, `mp4`, `mp3`, `webp`, `webm`, `swf`, `package`, `json`, `md`, `m4v`, `jsx`, `heif`, `heic`. ## Recommendation - If you are using version 2.1.x, upgrade to 2.1.1 or later. - If you are using version 2.2.x, upgrade to 2.2.1 or later. - If you are using version 2.3.x, upgrade to 2.3.1 or later. - If you are using version 2.4.x, upgrade to 2.4.1 or later. - If you are using version 2.5.x, upgrade to 2.5.1 or later. - If you are using version 2.6.x, upgrade to 2.6.3 or later. - If you are using version 2.7.x, upgrade to 2.7.1 or later. - If you are using version 2.8.x, upgrade to 2.8.1 or later. - If you are using version 2.9.x, upgrade to 2.9.5 or later. - If you are using version 3.0.x, upgrade to 3.0.1 or later. - If you are using version 3.1.x, upgrade to 3.1.1 or later. - If you are using version 3.2.x, upgrade to 3.2.4 or later.
How to fix CVE-2019-8903
To remediate CVE-2019-8903, upgrade the affected package to a fixed version below.
- —upgrade to 3.2.3 or later
Is CVE-2019-8903 being exploited?
Likely — EPSS is 53.3%, placing CVE-2019-8903 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- from 0, < 3.2.3