CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 2CVE-2019-15952 – Totaljs CMS 12.0 Path Traversal
https://notcve.org/view.php?id=CVE-2019-15952
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the Pages privilege can conduct a path traversal attack (../) to include .html files that are outside the permitted directory. Also, if a page contains a template directive, then the directive will be server side processed. Thus, if a user can control the content of a .html file, then they can inject a payload with a malicious template directive to gain Remote Command Execution. The exploit will work only with the .html extension. • http://packetstormsecurity.com/files/154340/Totaljs-CMS-12.0-Path-Traversal.html http://seclists.org/fulldisclosure/2019/Sep/11 https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf https://seclists.org/fulldisclosure/2019/Sep/2 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10260
https://notcve.org/view.php?id=CVE-2019-10260
Total.js CMS 12.0.0 has XSS related to themes/admin/views/index.html (item.message) and themes/admin/public/ui.js (column.format). Total.js CMS, en su versión 12.0.0, tiene Cross-Site Scripting (XSS) relacionado con themes/admin/views/index.html (item.message) y themes/admin/public/ui.js (column.format). • https://github.com/totaljs/cms/commit/75205f93009db3cf8c0b0f4f1fc8ab82d70da8ad https://github.com/totaljs/cms/commit/8b9d7dada998c08d172481d9f0fc0397c4b3c78d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 14%CPEs: 1EXPL: 1CVE-2019-8903 – Total.js Prior To 3.2.4 Directory Traversal
https://notcve.org/view.php?id=CVE-2019-8903
index.js in Total.js Platform before 3.2.3 allows path traversal. index.js en la plataforma Total.js, en versiones anteriores a la 3.2.3, permite un salto de directorio. • https://github.com/ossf-cve-benchmark/CVE-2019-8903 https://blog.certimetergroup.com/it/articolo/security/total.js-directory-traversal-cve-2019-8903 https://github.com/totaljs/framework/commit/c37cafbf3e379a98db71c1125533d1e8d5b5aef7 https://github.com/totaljs/framework/commit/de16238d13848149f5d1dae51f54e397a525932b https://blog.totaljs.com/blogs/news/20190213-a-critical-security-fix https://security.snyk.io/vuln/SNYK-JS-TOTALJS-173710 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •