VYPR
","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15954"]},"keywords":"CVE-2019-15954, critical, CWE-77, CWE-862, Total.js CMS","mentions":[{"@type":"SoftwareApplication","name":"CMS","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Total.js"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2019-15954","item":"https://portal.vyprsec.ai/cves/CVE-2019-15954"}]}]}
← All advisories
Critical severityNVD Advisory· Published Sep 5, 2019· Updated Aug 5, 2024

CVE-2019-15954

CVE-2019-15954

Description

Authenticated users with widgets privilege in Total.js CMS 12.0.0 can achieve remote code execution via server-side JavaScript evaluation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated users with widgets privilege in Total.js CMS 12.0.0 can achieve remote code execution via server-side JavaScript evaluation.

Vulnerability

Overview

CVE-2019-15954 is a server-side code injection vulnerability in Total.js CMS version 12.0.0. The issue stems from the way the CMS processes widgets. An authenticated user who has been granted the 'widgets' privilege can create a malicious widget containing a specially crafted ` tag. When the backend evaluates this tag, it does so in a server-side context that allows JavaScript code execution. The attacker can escape the intended sandbox by using the payload global.process.mainModule.require(child_process).exec(RCE)`, enabling arbitrary command execution on the server. [1] [2]

Exploitation and

Impact

To exploit this vulnerability, an attacker must first have an authenticated session in the CMS and possess the 'widgets' privilege. No other special network access is required beyond being able to reach the application. The attacker creates a new widget and includes the malicious `` tag with the JavaScript payload. Once the widget is rendered or processed server-side, the injected code runs with the privileges of the Node.js process, leading to full remote code execution (RCE). [2] [4]

Mitigation

Users of Total.js CMS 12.0.0 are advised to upgrade to a patched version as soon as possible. As of the publication date, a fix has been issued by the vendor. No workarounds are documented for this specific vulnerability, and given its severity (RCE via authenticated low-privileged user), upgrading is strongly recommended. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. [3]

References
  1. Packet Storm
  2. NVD - CVE-2019-15954
  3. GitHub - totaljs/cms: Node.js Content Management System
  4. CVE/Totaljs_disclosure_report/report_final.pdf at master · beerpwn/CVE

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Server-side evaluation of `<script total>` widget tags does not properly sandbox the JavaScript execution context, allowing escape via Node.js globals to achieve command injection."

Attack vector

An authenticated user who holds the widgets privilege creates a new widget containing a `<script total>` tag with malicious JavaScript. The payload escapes the server-side sandbox by accessing `global.process.mainModule.require('child_process').exec(RCE)` [ref_id=1]. When the back-end evaluates the tag, the attacker-supplied JavaScript executes on the server, achieving Remote Command Execution [CWE-77].

Affected code

The vulnerability resides in the server-side tag evaluation engine of Total.js CMS 12.0.0. The back-end evaluates `<script total>` tags within widget content without properly sandboxing the JavaScript execution context [ref_id=1].

What the fix does

The advisory does not include a patch or specific remediation code [ref_id=1]. The recommended fix would involve properly sandboxing the JavaScript evaluation context so that `global.process.mainModule` is not accessible from within `<script total>` tags, and/or sanitizing or disallowing dangerous Node.js globals during server-side tag evaluation.

Preconditions

  • authAttacker must be an authenticated user of Total.js CMS
  • configAttacker must have the 'widgets' privilege assigned to their role
  • inputAttacker must have access to the widget creation/editing interface

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.