Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
totaljs vulnerabilities and exploits
(subscribe to this query)
9.9
CVSSv3
CVE-2019-15954
An issue exists in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the pr...
Totaljs Total.js Cms 12.0.0
1 EDB exploit
9.8
CVSSv3
CVE-2021-23389
The package total.js prior to 3.4.9 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.
Totaljs Total.js
9.8
CVSSv3
CVE-2021-23390
The package total4 prior to 0.0.43 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.
Totaljs Total4
9.8
CVSSv3
CVE-2021-23344
The package total.js prior to 3.4.8 are vulnerable to Remote Code Execution (RCE) via set.
Totaljs Total.js
8.8
CVSSv3
CVE-2022-44019
In Total.js 4 prior to 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter.
Totaljs Total.js
8.8
CVSSv3
CVE-2019-15953
An issue exists in Total.js CMS 12.0.0. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The product correctly manages privileges only for the front-end resource path, not for API requests. This leads t...
Totaljs Total.js Cms 12.0.0
8.8
CVSSv3
CVE-2019-15952
An issue exists in Total.js CMS 12.0.0. An authenticated user with the Pages privilege can conduct a path traversal attack (../) to include .html files that are outside the permitted directory. Also, if a page contains a template directive, then the directive will be server side ...
Totaljs Total.js Cms 12.0.0
8.6
CVSSv3
CVE-2020-28494
This affects the package total.js prior to 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using child_process.spawn. The issue occurs because child_process.spawn is called with the option...
Totaljs Total.js
7.5
CVSSv3
CVE-2020-9381
controllers/admin.js in Total.js CMS 13 allows remote malicious users to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.
Totaljs Total.js Cms 13.0.0
7.5
CVSSv3
CVE-2019-8903
index.js in Total.js Platform prior to 3.2.3 allows path traversal.
Totaljs Total.js
2 Github repositories
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-49223
CVE-2024-0044
information disclosure
CVE-2024-35753
HTML injection
CVE-2024-21306
CVE-2024-35733
SQL injection
CVE-2024-35732
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
NEXT »