[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup

[+] Title: Totaljs CMS Authenticated Code injection on widget creation.

[+] Affected software: Totaljs CMS 12.0

[+] Description:

An authenticated user with “widgets” privilege can gain RCE on the 
remote server by creating a malicious widget with a special tag 
containing java-script code that will be evaluated server side.
In the process of evaluating the tag by back-end is possible to escape 
the sandbox object by using the following payload:
<script 
total>global.process.mainModule.require(‘child_process’).exec(‘RCE 
here’);</script>

[+] Step to reproduce:

1) browse to http://localhost:8000/admin/widgets/
2) click on create
3) paste the payload in the source code filed
4) click on save

[+] Project link: https://github.com/totaljs/cms

[+] Original report and details: 
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf

[+] Timeline:

- 13/02/2019 -> reported the issue to the vendor

.... many ping here

- 18/06/2019 -> pinged the vendor last time

- 30/08/2019 -> reported to seclist