Totaljs CMS version 12.0 suffers from an authenticated code injection vulnerability during widget creation.
5a2beed48db8d3b90204e1dc4c6cc04d[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup
[+] Title: Totaljs CMS Authenticated Code injection on widget creation.
[+] Affected software: Totaljs CMS 12.0
[+] Description:
An authenticated user with “widgets” privilege can gain RCE on the
remote server by creating a malicious widget with a special tag
containing java-script code that will be evaluated server side.
In the process of evaluating the tag by back-end is possible to escape
the sandbox object by using the following payload:
<script
total>global.process.mainModule.require(‘child_process’).exec(‘RCE
here’);</script>
[+] Step to reproduce:
1) browse to http://localhost:8000/admin/widgets/
2) click on create
3) paste the payload in the source code filed
4) click on save
[+] Project link: https://github.com/totaljs/cms
[+] Original report and details:
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf
[+] Timeline:
- 13/02/2019 -> reported the issue to the vendor
.... many ping here
- 18/06/2019 -> pinged the vendor last time
- 30/08/2019 -> reported to seclist