Vulnerability Details : CVE-2019-15954

An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE);</script>

Published 2019-09-05 19:16:32

Updated 2022-01-01 20:18:27

Source MITRE

View at NVD, CVE.org

At least one public exploit which can be used to exploit this vulnerability exists!

Exploit prediction scoring system (EPSS) score for CVE-2019-15954

Probability of exploitation activity in the next 30 days: 32.55%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 96 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2019-15954

Total.js CMS 12 Widget JavaScript Code Injection

Disclosure Date : 2019-08-30

exploit/multi/http/totaljs_cms_widget_exec

This module exploits a vulnerability in Total.js CMS. The issue is that a user with admin permission can embed a malicious JavaScript payload in a widget, which is evaluated server side, and gain remote code execution. Authors: - Riccardo Krauter - sinn3r <[email protected]>

More information

CVSS scores for CVE-2019-15954

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
9.0	HIGH	AV:N/AC:L/Au:S/C:C/I:C/A:C	8.0	10.0	[email protected]
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.9	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	3.1	6.0	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-15954

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: [email protected] (Primary)

References for CVE-2019-15954

http://packetstormsecurity.com/files/154924/Total.js-CMS-12-Widget-JavaScript-Code-Injection.html

Exploit;Third Party Advisory;VDB Entry
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf

Exploit;Third Party Advisory

CVEs referencing this url
https://seclists.org/fulldisclosure/2019/Sep/5

Exploit;Mailing List;Third Party Advisory

Products affected by CVE-2019-15954

Totaljs » Total.js Cms » Version: 12.0.0
cpe:2.3:a:totaljs:total.js_cms:12.0.0:*:*:*:*:*:*:*
Matching versions