| Title | Total.js CMS v19.9.0 Cross Site Scripting |
|---|
| Description | In CMS Total.js v19.9.0, a stored Cross-Site Scripting (XSS) vulnerability was identified that was exploitable through the file upload functionality available in the “Files” menu.
An authenticated attacker with administrative privileges can upload malicious files by manipulating the Content-Type to text/html and using arbitrary file extensions (e.g. .html). This way, it is possible to upload files containing injected JavaScript code.
As a proof of concept, an HTML file containing the following payload was uploaded:
<script>window.location.href='https://www.google.com/'</script>
When accessing the file hosted on the CMS, the JavaScript code is executed in the victim's browser, causing automatic redirection to a domain controlled by the attacker. The impact may include phishing and performing other malicious actions in accordance with the attacker's goals.
PoC example:
http://x.x.x.x:8000/download/JBMVZC1c561f.html?download=1
This behavior demonstrates that any user who accesses the malicious URL will have JavaScript code executed in their browser, allowing the attacker to exploit XSS for different purposes.
I will leave the PoC URL in the Consulting/Exploration field. If you do not agree, please let me know so that I can adapt as expected. Thank you in advance. |
|---|
| Source | ⚠️ http://x.x.x.x:8000/download/JBMVZC1c561f.html?download=1 |
|---|
| User | mirandaBR (UID 90010) |
|---|
| Submission | 09/09/2025 20:46 (7 months ago) |
|---|
| Moderation | 09/26/2025 08:59 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 325962 [Total.js CMS up to 19.9.0 Files Menu cross site scripting] |
|---|
| Points | 20 |
|---|