CVE-2023-30094
Description
Stored XSS vulnerability in TotalJS Flow v10 allows arbitrary web script execution via crafted payload in the platform name field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in TotalJS Flow v10 allows arbitrary web script execution via crafted payload in the platform name field.
Vulnerability
Description CVE-2023-30094 is a stored cross-site scripting (XSS) vulnerability in TotalJS Flow v10. The flaw exists in the settings module, where the platform name field is not properly sanitized. An attacker can inject arbitrary HTML or JavaScript code into this field, which is then stored and executed when the application is viewed by other users [1][2].
Exploitation
Scenario To exploit this vulnerability, an attacker must have access to the settings module of a TotalJS Flow instance. No authentication bypass is required; the attacker simply needs to be an authenticated user with permission to modify the platform name. The crafted payload is stored in the application and triggers when any user navigates to the affected page, making it a classic stored XSS case [2].
Impact
Successful exploitation allows the attacker to execute arbitrary web scripts in the context of the victim's browser. This can lead to session hijacking, data theft, or defacement of the application. The vulnerability is rated with a CVSS score of 6.1 (medium severity) due to the need for user interaction and the requirement for authenticated access to the settings [1].
Mitigation
The issue was reported via the TotalJS Flow GitHub repository [2]. A fix was applied in the underlying TotalJS framework4 (commit e2cea690c3fe4453e94da896a69f832511f65179) by encoding configuration values in the view engine, preventing the injection of unescaped content [4]. Users should update to a patched version of TotalJS Flow or apply the framework fix to mitigate the vulnerability.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
total4npm | < 0.0.81 | 0.0.81 |
Affected products
2Patches
1e2cea690c3feFixed encoding config values `@{'%something'}` in the view engine.
2 files changed · +2 −1
changelog.txt+1 −0 modified@@ -13,6 +13,7 @@ - fixed atomic operations in NoSQL QueryBuilder - added `String.sign(key)` for making of quick checksums - added `DB().load([conn], opt)` for loading of prepared QueryBuilder queries +- fixed encoding config values `@{'%something'}` in the view engine ======================== 0.0.80
internal.js+1 −1 modified@@ -959,7 +959,7 @@ function view_parse(content, minify, filename, controller) { if (cmd[1] === '%') { var t = CONF[cmd.substring(2, cmd.length - 1)]; if (t != null) - builder += '+' + DELIMITER + (t + '').replace(/'/g, "\\'") + DELIMITER; + builder += '+' + DELIMITER + (t + '').encode().replace(/'/g, "\\'") + DELIMITER; } else builder += '+' + DELIMITER + (new Function('self', 'return self.$import(' + cmd[0] + '!' + cmd.substring(1) + ')'))(controller) + DELIMITER; } else if (cmd7 === 'compile' && cmd.lastIndexOf(')') === -1) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-jj45-24rw-v6jwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-30094ghsaADVISORY
- github.com/totaljs/flow/issues/100ghsaWEB
- github.com/totaljs/framework4/commit/e2cea690c3fe4453e94da896a69f832511f65179ghsaWEB
- www.edoardoottavianelli.it/CVE-2023-30094ghsaWEB
- www.youtube.com/watchghsaWEB
- www.youtube.com/watchghsaWEB
- www.edoardoottavianelli.it/CVE-2023-30094/mitre
News mentions
0No linked articles in our index yet.