Totaljs: Security Vulnerabilities
A vulnerability has been found in Total.js CMS up to 19.9.0. This impacts an unknown function of the component Files Menu. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
1.9
EPSS Score
0.0
Published
2025-09-26
A vulnerability was found in Total.js CMS 1.0.0. Affected by this vulnerability is the function layouts_save of the file /admin/ of the component Layout Page. Performing manipulation of the argument HTML results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
1.9
EPSS Score
0.0
Published
2025-09-25
An issue in Total.js CMS v.1.0 allows a remote attacker to execute arbitrary code via the func.js file.
CVSS Score
8.8
EPSS Score
0.056
Published
2024-10-25
A stored cross-site scripting (XSS) vulnerability in TotalJS Flow v10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field in the settings module.
CVSS Score
5.4
EPSS Score
0.007
Published
2023-05-04
A stored cross-site scripting (XSS) vulnerability in TotalJS messenger commit b6cf1c9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the channel description field.
CVSS Score
5.4
EPSS Score
0.006
Published
2023-05-04
A stored cross-site scripting (XSS) vulnerability in TotalJS messenger commit b6cf1c9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the user information field.
CVSS Score
5.4
EPSS Score
0.006
Published
2023-05-04
A stored cross-site scripting (XSS) vulnerability in TotalJS messenger commit b6cf1c9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the private task field.
CVSS Score
5.4
EPSS Score
0.006
Published
2023-05-04
A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the account name field.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-03-14
A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-03-14
In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter.
CVSS Score
8.8
EPSS Score
0.036
Published
2022-10-30
Page 1