Remote Code Execution (RCE)

Affecting total.js package, versions >=3.1.0

Do your applications use this vulnerable package? Test your applications

Overview

total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). It is possible for an attacker to create a malicious widget with a special tag containing JavaScript code which will then be evaluated application.

PoC by Riccardo Krauter

<script total>global.process.mainModule.require(child_process).exec(RCE);</script>.

Remediation

There is no fixed version for total.js.

References

CVSS Score

7.6
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H/E:F/RL:U/RC:C
Credit
Riccardo Krauter
CVE
CVE-2019-15954
CWE
CWE-94
Snyk ID
SNYK-JS-TOTALJS-461099
Disclosed
05 Sep, 2019
Published
05 Sep, 2019