CVE-2019-15954

An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE);</script>

CVSS v3 9.9 CRITICAL
CVSS v2.0 9.0 HIGH

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

9.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://packetstormsecurity.com/files/154924/Total.js-CMS-12-Widget-JavaScript-Code-Injection.html	Exploit Third Party Advisory VDB Entry
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf	Exploit Third Party Advisory
https://seclists.org/fulldisclosure/2019/Sep/5	Exploit Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:totaljs:total.js_cms:12.0.0:*:*:*:*:*:*:*

History

01 Jan 2022, 20:18

Type	Values Removed	Values Added
References	~~(MISC) http://packetstormsecurity.com/files/154924/Total.js-CMS-12-Widget-JavaScript-Code-Injection.html -~~	(MISC) http://packetstormsecurity.com/files/154924/Total.js-CMS-12-Widget-JavaScript-Code-Injection.html - Exploit, Third Party Advisory, VDB Entry
CWE	~~CWE-77~~	CWE-862

Information

Published : 2019-09-05 19:16

Updated : 2023-12-10 12:59

NVD link : CVE-2019-15954

Mitre link : CVE-2019-15954

CVE.ORG link : CVE-2019-15954

JSON object : View

Products Affected

totaljs

total.js_cms

CWE

CWE-862

Missing Authorization

{"id": "CVE-2019-15954", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2019-09-05T19:16:32.037", "references": [{"url": "http://packetstormsecurity.com/files/154924/Total.js-CMS-12-Widget-JavaScript-Code-Injection.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://seclists.org/fulldisclosure/2019/Sep/5", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE);</script>"}, {"lang": "es", "value": "Se detect\u00f3 un problema en Total.js CMS versi\u00f3n 12.0.0. Un usuario autenticado con el privilegio de widgets puede lograr la Ejecuci\u00f3n Remota de Comandos (RCE) en el servidor remoto creando un widget malicioso con una etiqueta especial que contenga un c\u00f3digo JavaScript que se evaluar\u00e1 en el server side. En el proceso de evaluaci\u00f3n de la etiqueta por el back-end, es posible escapar del objeto sandbox utilizando la siguiente carga \u00fatil:"}], "lastModified": "2022-01-01T20:18:27.157", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:totaljs:total.js_cms:12.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89F0FFC8-2C30-4A5D-B37E-BA216ED85C5E"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}