CVE-2019-15954
CRITICAL9.9EPSS 56.9%Total.js CMS RCE Vulnerability
Published: 5/24/2022Modified: 11/8/2023
Also known as:GHSA-v287-9w3v-x5c5
Description
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: `<script total>global.process.mainModule.require(child_process).exec(RCE);</script>`
Affected packages (1)
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-15954
- PATCHhttps://github.com/totaljs/cms
- WEBhttp://packetstormsecurity.com/files/154924/Total.js-CMS-12-Widget-JavaScript-Code-Injection.html
- WEBhttps://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf
- WEBhttps://seclists.org/fulldisclosure/2019/Sep/5