Totaljs Total.js Cms 12.0.0
Approved changes feed: RSS · Atom
cpe:2.3:a:totaljs:total.js_cms:12.0.0:*:*:*:*:*:*:*
part: a version: 12.0.0 update: *
| Vendor | Totaljs (c2c15978-184c-5682-8600-bc2601bf8f6a) |
|---|---|
| Product | Total.Js Cms (35f67003-0ca7-5922-b4a8-1e72e64706ca) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/totaljs/cms |
purl2cpe | 2026-06-01 10:16:59.831926 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2019-15955 |
vulnerable | 2026-06-08 05:13:07.202295 |
Details available
An issue was discovered in Total.js CMS 12.0.0. A low privilege user can perform a simple transformation of a cookie to obtain the random values inside it. If an attacker can discover a session cookie owned by an admin, then it is possible to brute force it with O(n)=2n instead of O(n)=n^x complexity, and steal the admin password.
Published: 2019-09-05T18:31:34.000Z
Updated: 2024-08-05T01:03:32.432Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15954 |
vulnerable | 2026-06-08 05:13:07.201791 |
Details available
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE);</script>
Published: 2019-09-05T18:31:43.000Z
Updated: 2024-08-05T01:03:32.574Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15953 |
vulnerable | 2026-06-08 05:13:07.201264 |
Details available
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The product correctly manages privileges only for the front-end resource path, not for API requests. This leads to vertical and horizontal privilege escalation.
Published: 2019-09-05T18:31:53.000Z
Updated: 2024-08-05T01:03:32.423Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15952 |
vulnerable | 2026-06-08 05:13:07.200782 |
Details available
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the Pages privilege can conduct a path traversal attack (../) to include .html files that are outside the permitted directory. Also, if a page contains a template directive, then the directive will be server side processed. Thus, if a user can control the content of a .html file, then they can inject a payload with a malicious template directive to gain Remote Command Execution. The exploit will work only with the .html extension.
Published: 2019-09-05T18:32:03.000Z
Updated: 2024-08-05T01:03:32.572Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-10260 |
vulnerable | 2026-06-08 05:12:23.074562 |
Details available
Total.js CMS 12.0.0 has XSS related to themes/admin/views/index.html (item.message) and themes/admin/public/ui.js (column.format).
Published: 2019-03-28T16:24:01.000Z
Updated: 2024-08-04T22:17:19.936Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.