Totaljs CMS 12.0 Widget Creation Code Injection

Totaljs CMS version 12.0 suffers from an authenticated code injection vulnerability during widget creation.

MD5 | 5a2beed48db8d3b90204e1dc4c6cc04d

[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup

[+] Title: Totaljs CMS Authenticated Code injection on widget creation.

[+] Affected software: Totaljs CMS 12.0

[+] Description:

An authenticated user with “widgets” privilege can gain RCE on the
remote server by creating a malicious widget with a special tag
containing java-script code that will be evaluated server side.
In the process of evaluating the tag by back-end is possible to escape
the sandbox object by using the following payload:

[+] Step to reproduce:

1) browse to http://localhost:8000/admin/widgets/
2) click on create
3) paste the payload in the source code filed
4) click on save

[+] Project link:

[+] Original report and details:

[+] Timeline:

- 13/02/2019 -> reported the issue to the vendor

.... many ping here

- 18/06/2019 -> pinged the vendor last time

- 30/08/2019 -> reported to seclist

Related Posts