lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 30 Aug 2019 19:46:49 +0200
From: paw <>
Subject: [FD] Totaljs CMS Authenticated Code injection on widget creation

[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup

[+] Title: Totaljs CMS Authenticated Code injection on widget creation.

[+] Affected software: Totaljs CMS 12.0

[+] Description:

An authenticated user with “widgets” privilege can gain RCE on the 
remote server by creating a malicious widget with a special tag 
containing java-script code that will be evaluated server side.
In the process of evaluating the tag by back-end is possible to escape 
the sandbox object by using the following payload:

[+] Step to reproduce:

1) browse to http://localhost:8000/admin/widgets/
2) click on create
3) paste the payload in the source code filed
4) click on save

[+] Project link:

[+] Original report and details:

[+] Timeline:

- 13/02/2019 -> reported the issue to the vendor

.... many ping here

- 18/06/2019 -> pinged the vendor last time

- 30/08/2019 -> reported to seclist

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists