total4

npm5 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting total4page 1 of 1

CVE-2019-15952HIGHCVSS 8.8EG 8.8
2019-09-05
vulnerable: 12.0
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the Pages privilege can conduct a path traversal attack (../) to include .html files that are outside the permitted directory. Also, if a page contains a template d…
CVE-2019-15953HIGHCVSS 8.8EG 8.8
2019-09-05
vulnerable: 12.0
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The product correctly manages privileges only for the front-end …
CVE-2019-15954CRITICALCVSS 9.9EG 9.9
2019-09-05
vulnerable: 12.0.0
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript c…
CVE-2021-23390CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.0.43
2021-07-12
The package total4 before 0.0.43 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.
CVE-2023-30094MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.0.81
2023-05-04
A stored cross-site scripting (XSS) vulnerability in TotalJS Flow v10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field in the settings module.

Check whether total4 is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for total4 CVEs against the assets you own.

Start Free Scan →