Edoardo Ottavianelli

Security Researcher and Open Source Developer. Passionate about Computing, Nature and cooking.

Contact me

CVE-2022-41392

Author: Edoardo Ottavianelli
11/10/2022

In this post I will go through CVE-2022-41392: the description, replication of the vulnerability and POC.
This is my first 0day :)

TotalJS is an Open-source JavaScript platform providing a lot of FOSS tools and libraries written in Javascript/NodeJS. This vulnerability affects the TotalJS CMS product. (link to the GitHub repo). From the Official CMS website we can read:
"Get a simple, clean, beautiful, and design-driven Total.js Content Management System with a lot of impressive features. Total.js CMS helps you manage your new fascinating commercial or personal websites easily. Node.js CMS is built on NoSQL embedded database and with no dependencies [...]".

totaljs cms

Description of the vulnerability

A cross-site scripting (XSS) vulnerability in TotalJS commit 8c2c8909 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website name text field under Main Settings.

This is the vulnerable code:
<head>
    <title>@{'%name'} v@{'%version'}</title>
    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=10" />
    <meta name="format-detection" content="telephone=no" />
    <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" />
    <meta name="robots" content="all,follow" />
                            
The name parameter in file views/admin.html is directly inserted in the response without being properly sanitized.

Replication of the vulnerability

  • Log in to the application.
  • Set " <script>alert(document.domain)</script> as website name.
  • Fill in other required fields with random values and save.
  • Then just visit the admin dashboard and the alert will fire.
Each time a target will visit the dashboard the payload will fire, even if the target is not logged in!
Since the website redirects to /admin/ presenting the login form, the payload is reflected also there.
To test this, just click logout and reload the page.

totaljs cms

totaljs cms

POC

As this is a Stored XSS, it's not possible to provide a single command executing everything. Just follow the instructions above.

References