SB2019090421 - Multiple vulnerabilities in Totaljs CMS
Published: September 4, 2019 Updated: October 22, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper control of interaction frequency (CVE-ID: N/A)
2) Path traversal (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote authenticated user with “Pages” privilege can include arbitrary .html files that are outside the permitted directory and execute malicious template directive to gain remote code execution.
3) Code Injection (CVE-ID: CVE-2019-15954)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in widget creation. A remote authenticated user with “widgets” privilege can send a malicious widget with a special tag containing JavaScript code that will be evaluated server side and execute arbitrary code on the target system. In the process of evaluating the tag by back-end is possible to escape the sandbox object by using the following payload:
<script total>global.process.mainModule.require(‘child_process’).exec(‘RCE here’); </script>
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to broken access control on the API call. A remote authenticated user with limited privileges can get access to resource that did not own by calling the associated API and gain unauthorized access to the application, leading to vertical and horizontal privilege escalation.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.