CVE-2019-15954

An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE);</script>
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:totaljs:total.js_cms:12.0.0:*:*:*:*:*:*:*

Information

Published : 2019-09-05 12:16

Updated : 2022-01-01 12:18


NVD link : CVE-2019-15954

Mitre link : CVE-2019-15954


JSON object : View

CWE
CWE-862

Missing Authorization

Advertisement

dedicated server usa

Products Affected

totaljs

  • total.js_cms