Showing 1 - 1 of 1

CVE-2019-15954

Status Candidate

Overview

An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE);</script>

Related Files

Total.js CMS 12 Widget JavaScript Code Injection: Posted Oct 21, 2019; Authored by sinn3r, Riccardo Krauter | Site metasploit.com; This Metasploit module exploits a vulnerability in Total.js CMS. The issue is that a user with admin permission can embed a malicious JavaScript payload in a widget, which is evaluated server side, and gain remote code execution.; tags | exploit, remote, javascript, code execution; advisories | CVE-2019-15954; SHA-256 | 994055352fee2d951e405c99aeadd99178b2c65c81e77f2f5498366d48a48c14; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days

Red Hat 227 files
indoushka 136 files
Jay Turla 111 files
Ubuntu 63 files
Gentoo 33 files
Debian 27 files
sinn3r 23 files
h00die 23 files
Pedro Ribeiro 21 files
juan vazquez 18 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (377)
CentOS (58)
Cisco (1,944)
Debian (7,112)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (386)
iPhone (108)
IRIX (220)
Juniper (70)
Linux (50,966)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,661)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,788)
UNIX (9,443)
UnixWare (187)
Windows (6,732)
Other

CVE-2019-15954

Overview

Related Files

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems