CVE-2019-15954
published 2019-09-05CVE-2019-15954: An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote…
PriorityP279critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
79.20%
99.6th percentile
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: global.process.mainModule.require(child_process).exec(RCE);
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| totaljs | total.js_cms | — | — |
| totaljs | total.js_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect sandbox escape attempts in Total.js widget bodies containing the pattern 'global.process.mainModule.require' which is the server-side JavaScript sandbox escape vector. ↗
- →Monitor POST requests to /admin/api/widgets for widget creation with embedded JavaScript payloads; malicious widgets are named with the prefix 'p_' followed by random alphanumeric characters. ↗
- →Monitor HTTP responses for the 'X-Powered-By: Total.js' header to fingerprint vulnerable Total.js CMS instances exposed on the network. ↗
- →Alert on POST requests to /api/login/admin with JSON body containing 'username' and 'password' fields, followed immediately by POST to /admin/api/widgets — this sequence is characteristic of the exploit chain. ↗
- →Track the __admin session cookie value extracted after login; its presence in subsequent DELETE requests to /admin/api/widgets indicates widget cleanup post-exploitation. ↗
- →Watch for outbound HTTP requests from the Total.js server process to attacker-controlled hosts fetching files named with the 'p_' prefix (wget/curl stager delivery), indicating successful RCE. ↗
- ·Exploitation requires an authenticated session with the 'widgets' privilege (admin-level); unauthenticated exploitation is not possible. ↗
- ·The Metasploit module targets Total.js CMS versions below 12.0.0 (exclusive) and defaults to port 8000; deployments on non-default ports will not be caught by default port-based detections. ↗
- ·The exploit leaves IOC artifacts in server logs (IOC_IN_LOGS noted in module metadata), so log-based detection is viable. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xhg7-3m9v-pjfp: controllers/admin
ghsa_unreviewed·2022-05-24·CVSS 9.9
CVE-2020-9381 [CRITICAL] CWE-668 GHSA-xhg7-3m9v-pjfp: controllers/admin
controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.
GHSA
Total.js CMS RCE Vulnerability
ghsa·2022-05-24
CVE-2019-15954 [CRITICAL] CWE-77 Total.js CMS RCE Vulnerability
Total.js CMS RCE Vulnerability
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: `global.process.mainModule.require(child_process).exec(RCE);`
OSV
Total.js CMS RCE Vulnerability
osv·2022-05-24
CVE-2019-15954 [CRITICAL] Total.js CMS RCE Vulnerability
Total.js CMS RCE Vulnerability
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: `global.process.mainModule.require(child_process).exec(RCE);`
No detection rules found.
Exploit-DB
Total.js CMS 12 - Widget JavaScript Code Injection (Metasploit)
exploitdb·2019-10-22
CVE-2019-15954 Total.js CMS 12 - Widget JavaScript Code Injection (Metasploit)
Total.js CMS 12 - Widget JavaScript Code Injection (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Total.js CMS 12 Widget JavaScript Code Injection',
'Description' => %q{
This module exploits a vulnerability in Total.js CMS. The issue is that a user with
admin permission can embed a malicious JavaScript payload in a widget, which is
evaluated server side, and gain remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Riccardo Krauter', # Original discovery
'sinn3r' # Metasploit module
],
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
[ 'Total.js CMS on Linux', { 'Platform' => 'linux', 'CmdStagerFlavor' => 'wget'} ],
[ 'Total.js CMS on Mac', { 'P
Metasploit
Total.js CMS 12 Widget JavaScript Code Injection
metasploit
Total.js CMS 12 Widget JavaScript Code Injection
Total.js CMS 12 Widget JavaScript Code Injection
This module exploits a vulnerability in Total.js CMS. The issue is that a user with admin permission can embed a malicious JavaScript payload in a widget, which is evaluated server side, and gain remote code execution.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/154924/Total.js-CMS-12-Widget-JavaScript-Code-Injection.htmlhttps://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdfhttps://seclists.org/fulldisclosure/2019/Sep/5http://packetstormsecurity.com/files/154924/Total.js-CMS-12-Widget-JavaScript-Code-Injection.htmlhttps://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdfhttps://seclists.org/fulldisclosure/2019/Sep/5
2019-09-05
Published