CVE-2019-15954 : An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the w

An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE);</script>

Published 2019-09-05 19:16:32

Updated 2022-01-01 20:18:27

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2019-15954

Totaljs » Total.js Cms » Version: 12.0.0
cpe:2.3:a:totaljs:total.js_cms:12.0.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-15954

EPSS FAQ

58.87%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 98 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2019-15954

Total.js CMS 12 Widget JavaScript Code Injection

Disclosure Date: 2019-08-30

First seen: 2020-04-26

exploit/multi/http/totaljs_cms_widget_exec

This module exploits a vulnerability in Total.js CMS. The issue is that a user with admin permission can embed a malicious JavaScript payload in a widget, which is evaluated server side, and gain remote code execution. Authors: - Riccardo Krauter - sinn3r <sinn3r@

More information

CVSS scores for CVE-2019-15954

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.0	HIGH	AV:N/AC:L/Au:S/C:C/I:C/A:C	8.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.9	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	3.1	6.0	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-15954

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-15954

http://packetstormsecurity.com/files/154924/Total.js-CMS-12-Widget-JavaScript-Code-Injection.html

Total.js CMS 12 Widget JavaScript Code Injection ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf

CVE/report_final.pdf at master · beerpwn/CVE · GitHub
Exploit;Third Party Advisory

CVEs referencing this url
https://seclists.org/fulldisclosure/2019/Sep/5

Full Disclosure: Totaljs CMS Authenticated Code injection on widget creation
Exploit;Mailing List;Third Party Advisory

Jump to

Vulnerability Details : CVE-2019-15954