CVE-2019-15952
Description
Authenticated path traversal in Total.js CMS 12.0.0 allows inclusion of arbitrary .html files and, via template directives, remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated path traversal in Total.js CMS 12.0.0 allows inclusion of arbitrary .html files and, via template directives, remote code execution.
Vulnerability
Overview CVE-2019-15952 is a path traversal vulnerability in Total.js CMS version 12.0.0. The issue stems from insufficient input validation of the template parameter in the page creation API. An authenticated user with the Pages privilege can inject ../ sequences to include .html files located outside the intended directory [1][3].
Exploitation
To exploit the vulnerability, an attacker sends a specially crafted POST request to the admin pages endpoint, modifying the template JSON parameter to include a path traversal payload (e.g., ../../../../../../../../../../../../var/www/html/test_rce). The backend automatically appends the .html extension, so the attacker must omit it [4]. If the included .html file contains a template directive, that directive is executed server-side.
Impact
By controlling the content of an externally located .html file, an attacker can inject a malicious template directive, leading to remote code execution on the server. This gives the attacker the ability to execute arbitrary commands, potentially compromising the entire CMS installation [1][4].
Mitigation
No official patch was released by the vendor at the time of disclosure. Administrators should restrict the Pages privilege to trusted users only and ensure that uploaded or included .html files cannot be controlled by untrusted parties. Consider using a web application firewall to block path traversal attempts [1][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Total.js/Total.js CMSdescription
- ghsa-coords
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- github.com/advisories/GHSA-pwvp-h579-hfxgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-15952ghsaADVISORY
- packetstormsecurity.com/files/154340/Totaljs-CMS-12.0-Path-Traversal.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2019/Sep/11mitremailing-listx_refsource_FULLDISC
- github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdfghsax_refsource_MISCWEB
- seclists.org/fulldisclosure/2019/Sep/2ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.