CVE-2019-15953 — HIGH (8.8)

Vulnerability Description

An issue was discovered in Total.js CMS 12.0.0. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The product correctly manages privileges only for the front-end resource path, not for API requests. This leads to vertical and horizontal privilege escalation.

CVSS Score

8.8

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Totaljs	Total.Js Cms	12.0.0

Related Weaknesses (CWE)

CWE-862

References

https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_finaExploitThird Party Advisory
https://seclists.org/fulldisclosure/2019/Sep/6ExploitMailing ListThird Party Advisory
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_finaExploitThird Party Advisory
https://seclists.org/fulldisclosure/2019/Sep/6ExploitMailing ListThird Party Advisory

FAQ

What is CVE-2019-15953?

CVE-2019-15953 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered in Total.js CMS 12.0.0. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The product correctly man...

How severe is CVE-2019-15953?

CVE-2019-15953 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-15953?

Check the references section above for vendor advisories and patch information. Affected products include: Totaljs Total.Js Cms.