CVE-2020-28495

Name of the Vulnerable Software and Affected Versions: total.js versions prior to 3.4.7

Description: The issue is related to a prototype pollution vulnerability in the set function, which can be used to set a value into an object according to a path. However, the keys of the path being set are not properly sanitized. The impact depends on the application and can lead to Denial of service (DoS), Remote Code Execution, or Property Injection in some cases.

Recommendations: For total.js versions prior to 3.4.7, update to version 3.4.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of the set function to minimize the risk of exploitation.