CVE-2020-9381

Sažetak

controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.

Reference

https://github.com/totaljs/cms/commit/2a26c4c6a61d3fda4527a761716ef7e1c5f7c970
https://github.com/saddean/research/blob/master/totaljs/Broken-acces-control.md

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

12-07-2022 - 17:42

Objavljeno

24-02-2020 - 22:15