CVE-2019-15954

CRITICAL

Total.js CMS 12.0.0 - Authenticated RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-15954. PoCs published by Metasploit, Riccardo Krauter, sinn3r, including Metasploit module exploits/multi/http/totaljs_cms_widget_exec.

AI-analyzed exploit summary This Metasploit module exploits CVE-2019-15954, a JavaScript code injection vulnerability in Total.js CMS 12, allowing authenticated admin users to execute arbitrary commands via a malicious widget. The exploit uses a cmdstager to deliver a payload for remote code execution.

Description

An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE);</script>

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/47531

View Code ZIP pw:eip

This Metasploit module exploits CVE-2019-15954, a JavaScript code injection vulnerability in Total.js CMS 12, allowing authenticated admin users to execute arbitrary commands via a malicious widget. The exploit uses a cmdstager to deliver a payload for remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Total.js CMS v12

Auth required

Prerequisites: Admin credentials for Total.js CMS · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Riccardo Krauter, sinn3r · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/totaljs_cms_widget_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a JavaScript code injection vulnerability in Total.js CMS 12, allowing authenticated admin users to execute arbitrary commands via a malicious widget. The exploit uses a cmdstager to deliver a payload for remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Total.js CMS v12

Auth required

Prerequisites: Admin credentials for Total.js CMS · Network access to the target

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf

View Exploit ZIP pw:eip

Exploit, Mailing List, Third Party Advisory x_refsource_misc

https://seclists.org/fulldisclosure/2019/Sep/5

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/154924/Total.js-CMS-12-Widget-JavaScript-Code-Injection.html

Scores

CVSS v3 9.9

EPSS 0.5691

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-862

Status published

Products (2)

npm/total4 npm

totaljs/total.js_cms 12.0.0

Published Sep 05, 2019

Tracked Since Feb 18, 2026