CVE-2019-15954
Total.js CMS RCE Vulnerability
Description
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: `<script total>global.process.mainModule.require(child_process).exec(RCE);</script>`
How to fix CVE-2019-15954
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2019-15954 being exploited?
Likely — EPSS is 56.9%, placing CVE-2019-15954 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |