CVE-2019-15954

Name of the Vulnerable Software and Affected Versions Total.js CMS version 12.0.0

Description An issue allows an authenticated user with the widgets privilege to achieve Remote Command Execution (RCE) on the remote server. This is done by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server-side. The back-end's evaluation of the tag allows an attacker to escape the sandbox object using a specific payload: <script total>global.process.mainModule.require(child process).exec(RCE);</script>.

Recommendations For Total.js CMS version 12.0.0, consider disabling the widget functionality or restricting the child process module to prevent exploitation until a patch is available. Restrict access to the widget creation feature to minimize the risk of RCE.