[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup  
[+] Title: Totaljs CMS Broken Access Control on the API call  
[+] Affected software: Totaljs CMS 12.0  
[+] Description: An authenticated user with limited privileges can get   
access to resource that did not own by calling the associated API.  
The CMS manage correctly the privilege only for the front-end resource   
path, but it does not the same for the API request. This lead to   
vertical and horizontal privilege escalation.  
[+] Step to reproduce:  
1) create a user with any privileges (e.g. “Notices”).  
2) log in with this user and browse to http://localhost:8000/admin/notices/  
3) copy the __admin cookie that by default identify the session user  
4) create a POST request in burp to the following path   
/admin/api/pages/preview/ with body {"body":"","template":"default"}  
5) you will get a 200 response back that means we can successfully used   
an API call that we don’t have the privilege to use.  
[+] Project link:  
[+] Original report and details:  
[+] Timeline:  
- 13/02/2019 -> reported the issue to the vendor  
.... many ping here  
- 18/06/2019 -> pinged the vendor last time  
- 30/08/2019 -> reported to seclist