This Metasploit module exploits a vulnerability in Total.js CMS. The issue is that a user with admin permission can embed a malicious JavaScript payload in a widget, which is evaluated server side, and gain remote code execution.
994055352fee2d951e405c99aeadd99178b2c65c81e77f2f5498366d48a48c14