10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-15954

GHSA ID

GHSA-v287-9w3v-x5c5

EPSS Score

0.98096%

CWE

CWE-77

Published

5/24/2022

Updated

7/17/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-15954

CVE-2019-15954: Total.js CMS RCE Vulnerability

An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE);</script>

(GitHub Advisory)

10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-15954

GHSA ID

GHSA-v287-9w3v-x5c5

EPSS Score

0.98096%

CWE

CWE-77

Published

5/24/2022

Updated

7/17/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
total4	npm	= 12.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient sandboxing in the widget processing mechanism. The payload demonstrates direct access to Node.js's 'global.process' object, indicating the evaluation context isn't properly isolated. While exact file paths aren't disclosed, the core issue lies in the function evaluating widget content containing <script total> tags. This function fails to restrict access to dangerous Node.js APIs, enabling command injection via crafted JavaScript.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Tot*l.js *MS **.*.*. *n *ut**nti**t** us*r wit* t** wi***ts privil*** **n **in ***i*v* R*mot* *omm*n* *x**ution (R**) on t** r*mot* s*rv*r *y *r**tin* * m*li*ious wi***t wit* * sp**i*l t** *ont*inin* J*v*S*ript *o** t**t wi

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt s*n**oxin* in t** wi***t pro**ssin* m****nism. T** p*ylo** **monstr*t*s *ir**t ****ss to No**.js's '*lo**l.pro**ss' o*j**t, in*i**tin* t** *v*lu*tion *ont*xt isn't prop*rly isol*t**. W*il* *x**t *il* p*t*s *r

10

Basic Information

Concerned about an active attack path?

CVE-2019-15954: Total.js CMS RCE Vulnerability

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI