CVE-2019-15953

Опубликовано: 05 сент. 2019

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

An issue was discovered in Total.js CMS 12.0.0. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The product correctly manages privileges only for the front-end resource path, not for API requests. This leads to vertical and horizontal privilege escalation.

Ссылки

https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf
Exploit
Third Party Advisory
https://seclists.org/fulldisclosure/2019/Sep/6
Exploit
Mailing List
Third Party Advisory
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf
Exploit
Third Party Advisory
https://seclists.org/fulldisclosure/2019/Sep/6
Exploit
Mailing List
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:totaljs:total.js_cms:12.0.0:*:*:*:*:*:*:*

EPSS

Процентиль: 72%

0.00705

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-862

Связанные уязвимости

GHSA-q3x9-28f7-w8rc