cbcvebase.
CVE-2019-8903
published 2019-02-18

CVE-2019-8903: index.js in Total.js Platform before 3.2.3 allows path traversal.

PriorityP271high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
72.06%
99.4th percentile
index.js in Total.js Platform before 3.2.3 allows path traversal.

Affected

2 ranges
VendorProductVersion rangeFixed in
totaljstotal.js< 3.2.33.2.3
totaljstotal.js>= 0 < 3.2.33.2.3

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/var/www/html/index.html
path/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/var/www/html/index.html
  • Detect path traversal attempts using URL-encoded dot-dot sequences (`.%2e/`) in HTTP GET requests to Total.js servers. A successful exploit returns HTTP 200 with file contents.
  • Response body containing 'apache2.conf' in reply to a traversal request is a strong indicator of successful exploitation.
  • The vulnerability resides in index.js of Total.js Platform. Monitor requests for URL-encoded traversal patterns targeting static file extensions served by the framework: flac, jpg, jpeg, png, gif, ico, js, css, txt, xml, woff, woff2, otf, ttf, eot, svg, zip, rar, pdf, docx, xlsx, doc, xls, html, htm, appcache, manifest, map, ogv, ogg, mp4, mp3, webp, webm, swf, package, json, md, m4v, jsx, heif, heic.
  • ·The Metasploit module targets versions prior to 3.2.4, while NVD and the Nuclei template reference the fix as version 3.2.3. Ensure detection coverage applies to all Total.js versions before 3.2.4.
  • ·The traversal payload uses URL-encoded forward-slash sequences (`.%2e/`) rather than classic `../` sequences, so WAF/IDS rules must account for this encoding variant.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.