CVE-2023-36212

An authenticated attacker navigates to the "Edit Page" function at `totalapi.php`, scrolls to the downloads area, and uploads a crafted PHP file (e.g., `shell.php` containing `system($_REQUEST['cmd'])`) [ref_id=1]. The CMS accepts the PHP file without validation, storing it in the `cms-data/depot/` directory, where it becomes accessible via a direct HTTP request [ref_id=1]. The attacker then sends commands via the `cmd` parameter to achieve remote code execution [ref_id=1].

The vulnerable endpoint is `rw_common/plugins/stacks/total-cms/totalapi.php`, specifically the "Edit Page" function's file upload area for downloads [ref_id=1]. The CMS stores uploaded files under the `cms-data/depot/` directory without restricting file types [ref_id=1].

No patch is provided in the bundle. The advisory does not specify any vendor fix or remediation commit [ref_id=1]. To close the vulnerability, the application should validate uploaded file extensions (e.g., reject `.php`), restrict the upload directory's execution permissions, and/or sanitize file content to prevent arbitrary code execution.

1. Log in to Total CMS 1.7.4 and navigate to the "Edit Page" button. 2. The vulnerable URL is `http://localhost.com/rw_common/plugins/stacks/total-cms/totalapi.php`. 3. Scroll to the downloads area and upload a PHP file (e.g., `shell.php`) containing `<?php echo "<pre>"; system($_REQUEST['cmd']); echo "</pre>"; ?>`. 4. Access the uploaded shell at `https://localhosts/cms-data/depot/cmssoccerdepot/shell.php?cmd=id` to execute commands [ref_id=1].