Total Js Cms
CVE-2019-15955
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
An issue was discovered in Total.js CMS 12.0.0. A low privilege user can perform a simple transformation of a cookie to obtain the random values inside it. If an attacker can discover a session cookie owned by an admin, then it is possible to brute force it with O(n)=2n instead of O(n)=n^x complexity, and steal the admin password.
AnalysisAI
An issue was discovered in Total.js CMS 12.0.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-327. An issue was discovered in Total.js CMS 12.0.0. A low privilege user can perform a simple transformation of a cookie to obtain the random values inside it. If an attacker can discover a session cookie owned by an admin, then it is possible to brute force it with O(n)=2n instead of O(n)=n^x complexity, and steal the admin password. Affected products include: Totaljs Total.Js Cms.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Total Js Cms
View allAn issue was discovered in Total.js CMS 12.0.0. Rated critical severity (CVSS 9.9), this vulnerability is remotely explo
An issue was discovered in Total.js CMS 12.0.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitab
An issue was discovered in Total.js CMS 12.0.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitab
controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/w
Total.js CMS 12.0.0 has XSS related to themes/admin/views/index.html (item.message) and themes/admin/public/ui.js (colum
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today