[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup  
[+] Title: Totaljs CMS Authenticated Code injection on widget creation.  
[+] Affected software: Totaljs CMS 12.0  
[+] Description:  
An authenticated user with “widgets” privilege can gain RCE on the   
remote server by creating a malicious widget with a special tag   
containing java-script code that will be evaluated server side.  
In the process of evaluating the tag by back-end is possible to escape   
the sandbox object by using the following payload:  
[+] Step to reproduce:  
1) browse to http://localhost:8000/admin/widgets/  
2) click on create  
3) paste the payload in the source code filed  
4) click on save  
[+] Project link:  
[+] Original report and details:  
[+] Timeline:  
- 13/02/2019 -> reported the issue to the vendor  
.... many ping here  
- 18/06/2019 -> pinged the vendor last time  
- 30/08/2019 -> reported to seclist