CVE-2023-27069
https://notcve.org/view.php?id=CVE-2023-27069
A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the account name field. • https://github.com/totaljs/openplatform/issues/52 https://www.edoardoottavianelli.it/CVE-2023-27069 https://www.youtube.com/watch?v=Ryuz1gymiw8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-44019
https://notcve.org/view.php?id=CVE-2022-44019
In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter. En Total.js 4 anterior a 0e5ace7, /api/common/ping puede lograr la ejecución remota de comandos a través de metacaracteres de shell en el parámetro host. • https://github.com/totaljs/code/issues/12 https://www.edoardoottavianelli.it/CVE-2022-44019 https://www.youtube.com/watch?v=x-u3eS8-xJg • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2022-41392
https://notcve.org/view.php?id=CVE-2022-41392
A cross-site scripting (XSS) vulnerability in TotalJS commit 8c2c8909 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website name text field under Main Settings. Una vulnerabilidad de tipo cross-site scripting (XSS) en el commit 8c2c8909 de TotalJS permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada inyectada en el campo name text del sitio web en la configuración principal • https://github.com/totaljs/cms/issues/38 https://www.edoardoottavianelli.it/CVE-2022-41392 https://www.youtube.com/watch?v=BOPLYnveBqk • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-30013
https://notcve.org/view.php?id=CVE-2022-30013
A stored cross-site scripting (XSS) vulnerability in the upload function of totaljs CMS 3.4.5 allows attackers to execute arbitrary web scripts via a JavaScript embedded PDF file. Una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en la función de carga de totaljs CMS versión 3.4.5, permite a atacantes ejecutar scripts web arbitrarios por medio de un archivo PDF insertado en JavaScript • https://github.com/totaljs/framework https://www.youtube.com/watch?v=E2784z7Bu2c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-26565
https://notcve.org/view.php?id=CVE-2022-26565
A cross-site scripting (XSS) vulnerability in Totaljs all versions before commit 95f54a5commit, allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page Name text field when creating a new page. Una vulnerabilidad de cross-site scripting (XSS) en Totaljs todas las versiones antes del commit 95f54a5commit, permite a los atacantes ejecutar scripts web o HTML arbitrarios a través de un payload crafteado inyectado en el campo de texto Page Name al crear una nueva página • https://bug.pocas.kr/2022/03/01/2022-03-05-CVE-2022-26565 https://github.com/totaljs/cms/issues/35 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •