Total Js Cms
CVE-2020-9381
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.
AnalysisAI
controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954. Affected products include: Totaljs Total.Js Cms.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.
More in Total Js Cms
View allAn issue was discovered in Total.js CMS 12.0.0. Rated critical severity (CVSS 9.9), this vulnerability is remotely explo
An issue was discovered in Total.js CMS 12.0.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitab
An issue was discovered in Total.js CMS 12.0.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitab
An issue was discovered in Total.js CMS 12.0.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploit
Total.js CMS 12.0.0 has XSS related to themes/admin/views/index.html (item.message) and themes/admin/public/ui.js (colum
Same weakness CWE-863 – Incorrect Authorization
View allShare
External POC / Exploit Code
Leaving vuln.today