CVE-2021-32831 — Code Injection in total.js

Description

Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to code-injection. This can cause a variety of impacts that include arbitrary code execution. This is fixed in version 3.4.9.

How to fix CVE-2021-32831

To remediate CVE-2021-32831, upgrade the affected package to a fixed version below.

—upgrade to 3.4.9 or later

Is CVE-2021-32831 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.4.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-32831
ADVISORYsecuritylab.github.com/advisories/GHSL-2021-066-totaljs-totaljs
PATCHgithub.com/totaljs
WEBgithub.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txt#L11