#VU20846 Path traversal in Totaljs CMS
Published: September 4, 2019 / Updated: September 4, 2019
Vulnerability identifier: #VU20846
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: N/A
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Totaljs CMS
Totaljs CMS
Software vendor:
Total.js
Total.js
Description
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote authenticated user with “Pages” privilege can include arbitrary .html files that are outside the permitted directory and execute malicious template directive to gain remote code execution.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.