*Totaljs CMS authenticated path traversal (could lead to RCE)*  
[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup  
[+] Title: Totaljs CMS authenticated path traversal (could lead to RCE)  
[+] Affected software: Totaljs CMS 12.0  
[+] Description: An authenticated user with โ€œPagesโ€ privilege can   
include via path traversal attack (../) .html files that are outside the   
permitted directory. Also if the page contains template directive, then   
the directive will be server side processed, so if a user can control   
the content of a .html file, then can inject payload with malicious   
template directive to gain RemoteCodeExecution.  
The exploit will work only with .html extension.  
[+] Step to reproduce:  
1) go to http://localhost:8000/admin/pages/  
2) click on create button  
3) enable burp proxy forwarding  
4) select a template from the menu this will send a POST request to the API  
5) from burp modify the json body request by adding the path traversal   
on the template parameter like this   
do NOT add the .html extension it will be added to the back-end API  
6) send the request  
[+] Project link:  
[+] Original report and details:  
[+] Timeline:  
- 13/02/2019 -> reported the issue to the vendor  
.... many ping here  
- 18/06/2019 -> pinged the vendor last time  
- 29/08/2019 -> reported to seclist