cbcvebase.
CVE-2019-15954
published 2019-09-05

CVE-2019-15954: An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote…

PriorityP279critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
79.20%
99.6th percentile
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: global.process.mainModule.require(child_process).exec(RCE);

Affected

2 ranges
VendorProductVersion rangeFixed in
totaljstotal.js_cms
totaljstotal.js_cms

Detection & IOCsextracted from sources · hover to see the quote

commandglobal.process.mainModule.require(child_process).exec(RCE);
cookie__admin=
url/admin/api/widgets
url/api/login/admin
port8000
filenamep_[a-zA-Z]{5}
  • Detect sandbox escape attempts in Total.js widget bodies containing the pattern 'global.process.mainModule.require' which is the server-side JavaScript sandbox escape vector.
  • Monitor POST requests to /admin/api/widgets for widget creation with embedded JavaScript payloads; malicious widgets are named with the prefix 'p_' followed by random alphanumeric characters.
  • Monitor HTTP responses for the 'X-Powered-By: Total.js' header to fingerprint vulnerable Total.js CMS instances exposed on the network.
  • Alert on POST requests to /api/login/admin with JSON body containing 'username' and 'password' fields, followed immediately by POST to /admin/api/widgets — this sequence is characteristic of the exploit chain.
  • Track the __admin session cookie value extracted after login; its presence in subsequent DELETE requests to /admin/api/widgets indicates widget cleanup post-exploitation.
  • Watch for outbound HTTP requests from the Total.js server process to attacker-controlled hosts fetching files named with the 'p_' prefix (wget/curl stager delivery), indicating successful RCE.
  • ·Exploitation requires an authenticated session with the 'widgets' privilege (admin-level); unauthenticated exploitation is not possible.
  • ·The Metasploit module targets Total.js CMS versions below 12.0.0 (exclusive) and defaults to port 8000; deployments on non-default ports will not be caught by default port-based detections.
  • ·The exploit leaves IOC artifacts in server logs (IOC_IN_LOGS noted in module metadata), so log-based detection is viable.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.