Vulnerabilities > CVE-2019-15953 - Missing Authorization vulnerability in Totaljs Total.Js CMS 12.0.0

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

totaljs

CWE-862

NVD

Published: 2019-09-05

Updated: 2020-08-24

Summary

An issue was discovered in Total.js CMS 12.0.0. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The product correctly manages privileges only for the front-end resource path, not for API requests. This leads to vertical and horizontal privilege escalation.

Vulnerable Configurations

Part	Description	Count
Application	Totaljs Totaljs Total.Js CMS 12.0.0	1

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf
https://seclists.org/fulldisclosure/2019/Sep/6