CVE-2019-15953

Total.js CMS 12.0.0 suffers from a broken access control vulnerability where the system only enforces privilege checks on front-end resource paths, not on corresponding API requests [1]. This allows an authenticated user with limited privileges to directly call API endpoints that should be restricted.

To exploit this, an attacker must first authenticate with any user account, even one with minimal privileges (e.g., 'Notices'). By capturing the session cookie from the admin front-end and making a crafted POST request to an API endpoint such as /admin/api/pages/preview/, the attacker can receive a 200 response, indicating successful access to a resource they are not authorized to use [4]. No special network position is required; the attacker simply needs to be able to send HTTP requests to the CMS.

The impact includes both vertical and horizontal privilege escalation. A low-privileged user can access administrative functions or other users' data, potentially leading to full system compromise [1]. As of the disclosure timeline, the vendor was notified in February 2019 but had not released a patch by August 2019 [4]. Users should restrict network access to the CMS and apply any available updates.