CVE-2019-15952

Name of the Vulnerable Software and Affected Versions Total.js CMS version 12.0.0

Description An issue in Total.js CMS allows an authenticated user with the Pages privilege to conduct a path traversal attack to include .html files outside the permitted directory. If a page contains a template directive, it will be server-side processed, potentially leading to Remote Command Execution if a user can control the content of a .html file and inject a malicious template directive.

Recommendations For Total.js CMS version 12.0.0, restrict access to the Pages privilege and avoid allowing users to control the content of .html files to minimize the risk of exploitation. As a temporary workaround, consider disabling the processing of template directives in .html files until a patch is available.