Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12Mjg3LTl3M3YteDVjNc4AAh-W
Total.js CMS RCE Vulnerability
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE);</script>
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12Mjg3LTl3M3YteDVjNc4AAh-W
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 10 months ago
CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-v287-9w3v-x5c5, CVE-2019-15954
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-15954
- https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf
- https://seclists.org/fulldisclosure/2019/Sep/5
- http://packetstormsecurity.com/files/154924/Total.js-CMS-12-Widget-JavaScript-Code-Injection.html
- https://github.com/advisories/GHSA-v287-9w3v-x5c5
Blast Radius: 28.1
Affected Packages
npm:total4
Dependent packages: 6Dependent repositories: 643
Downloads: 2,112 last month
Affected Version Ranges: = 12.0.0
No known fixed version
All affected versions: