Vulnerability Details : CVE-2019-15954

An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE);</script>
Published 2019-09-05 19:16:32
Updated 2022-01-01 20:18:27
Source MITRE
View at NVD,
At least one public exploit which can be used to exploit this vulnerability exists!

Exploit prediction scoring system (EPSS) score for CVE-2019-15954

Probability of exploitation activity in the next 30 days: 32.55%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 96 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2019-15954

  • Total.js CMS 12 Widget JavaScript Code Injection
    Disclosure Date : 2019-08-30
    This module exploits a vulnerability in Total.js CMS. The issue is that a user with admin permission can embed a malicious JavaScript payload in a widget, which is evaluated server side, and gain remote code execution. Authors: - Riccardo Krauter - sinn3r <[email protected]>

CVSS scores for CVE-2019-15954

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Source
[email protected]
[email protected]

CWE ids for CVE-2019-15954

References for CVE-2019-15954

Products affected by CVE-2019-15954

This web site uses cookies for managing your session and website analytics (Google analytics) purposes as described in our privacy policy.
By using this web site you are agreeing to terms of use!