Advertisement
CVE | Category | Price | Severity |
---|---|---|---|
CVE-2021-26068 | CWE-94 | $500 | High |
Author | Risk | Exploitation Type | Date |
---|---|---|---|
Unknown | High | Remote | 2019-09-05 |
CVSS | EPSS | EPSSP |
---|---|---|
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H | 0.02192 | 0.50148 |
[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup [+] Title: Totaljs CMS Authenticated Code injection on widget creation. [+] Affected software: Totaljs CMS 12.0 [+] Description: An authenticated user with widgets privilege can gain RCE on the remote server by creating a malicious widget with a special tag containing java-script code that will be evaluated server side. In the process of evaluating the tag by back-end is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE here);</script> [+] Step to reproduce: 1) browse to http://localhost:8000/admin/widgets/ 2) click on create 3) paste the payload in the source code filed 4) click on save [+] Project link: https://github.com/totaljs/cms [+] Original report and details: https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf [+] Timeline: - 13/02/2019 -> reported the issue to the vendor .... many ping here - 18/06/2019 -> pinged the vendor last time - 30/08/2019 -> reported to seclist
Copyright ©2024 Exploitalert.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.