Lucene search
GoogleOSV:GHSA-V287-9W3V-X5C5HistoryMay 24, 2022 - 4:55 p.m.
Total.js CMS RCE Vulnerability
2022-05-2416:55:31
Google
osv.dev
14
0.354 Low
EPSS
Percentile
97.2%
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE);</script>
Related
zdt
zdt
Total.js CMS 12 - Widget JavaScript Code Injection Exploit
2019-10-22 00:00:00
nvd
nvd
CVE-2019-15954
2019-09-05 19:16:32
CVE-2020-9381
2020-02-24 22:15:12
cvelist
cvelist
CVE-2019-15954
2019-09-05 18:31:43
CVE-2020-9381
2020-02-24 21:25:54
prion
prion
Command injection
2019-09-05 19:16:00
Design/Logic Flaw
2020-02-24 22:15:00
packetstorm
packetstorm
Total.js CMS 12 Widget JavaScript Code Injection
2019-10-21 00:00:00
cve
cve
CVE-2019-15954
2019-09-05 19:16:32
CVE-2020-9381
2020-02-24 22:15:12
attackerkb
attackerkb
CVE-2019-15954: Total.js CMS 12 Widget Remote Code Execution
2019-09-05 00:00:00
github
github
Total.js CMS RCE Vulnerability
2022-05-24 16:55:31
osv
osv
CVE-2020-9381
2020-02-24 22:15:12