In this post I will go through CVE-2022-41392: the description, replication of the vulnerability and PoC.

This is my first 0day :)

TotalJS is an Open-Source JavaScript platform providing a lot of FOSS tools and libraries written in Javascript/NodeJS. This vulnerability affects the TotalJS CMS product (link to the GitHub repo).

From the Official CMS website we can read:

"Get a simple, clean, beautiful, and design-driven Total.js Content Management System with a lot of impressive features.
Total.js CMS helps you manage your new fascinating commercial or personal websites easily.
Node.js CMS is built on NoSQL embedded database and with no dependencies [...]".

totaljs-cms

Description of the vulnerability

A cross-site scripting (XSS) vulnerability in TotalJS commit 8c2c8909 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website name text field under Main Settings.

This is the vulnerable code:

<head>
    <title>@{'%name'} v@{'%version'}</title>
    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=10" />
    <meta name="format-detection" content="telephone=no" />
    <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" />
    <meta name="robots" content="all,follow" />

The name parameter in file views/admin.html is directly inserted in the response without being properly sanitized.

Replication of the vulnerability

  • Log in to the application.
  • Set " <script>alert(document.domain)</script> as website name.
  • Fill in other required fields with random values and save.
  • Then just visit the admin dashboard and the alert will fire.

Each time a target will visit the dashboard the payload will fire, even if the target is not logged in!
Since the website redirects to /admin/ presenting the login form, the payload is reflected also there.

To test this, just click logout and reload the page.

totaljs-cms-poc

totaljs-cms-poc2

PoC

References