Vulnerabilities > CVE-2020-9381 - Incorrect Authorization vulnerability in Totaljs Total.Js CMS 13.0.0

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

totaljs

CWE-863

NVD

Published: 2020-02-24

Updated: 2022-07-12

Summary

controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.

Vulnerable Configurations

Part	Description	Count
Application	Totaljs Totaljs Total.Js CMS 13.0.0	1

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

References

https://github.com/totaljs/cms/commit/2a26c4c6a61d3fda4527a761716ef7e1c5f7c970
https://github.com/saddean/research/blob/master/totaljs/Broken-acces-control.md