CVE-2024-48655

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Oct 25, 2024 / Updated: 25d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

An issue in Total.js CMS v.1.0 allows a remote attacker to execute arbitrary code via the func.js file. This vulnerability is classified as CWE-94: Improper Control of Generation of Code ('Code Injection'). The vulnerability has a CVSS v3.1 base score of 8.8, indicating a high severity level.

Impact

The impact of this vulnerability is severe. An attacker can execute arbitrary code remotely, potentially leading to complete system compromise. The CVSS score indicates high impacts on confidentiality, integrity, and availability. This means an attacker could potentially access sensitive information, modify or delete critical data, and disrupt system operations. The attack vector is network-based, requires low attack complexity, and no user interaction, making it relatively easy for attackers to exploit.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of an available patch for this vulnerability in Total.js CMS v.1.0. The security team should closely monitor for any updates or patches released by the vendor, Total.js.

Mitigation

Until a patch is available, the following mitigation strategies are recommended: 1. If possible, temporarily disable or restrict access to the func.js file in Total.js CMS v.1.0. 2. Implement strong network segmentation to limit potential attacker access to systems running the vulnerable software. 3. Enhance monitoring for any suspicious activities or unauthorized code execution attempts. 4. Consider implementing a Web Application Firewall (WAF) with rules to detect and block potential code injection attempts. 5. If feasible, consider temporarily taking the affected systems offline or replacing them with an alternative, non-vulnerable CMS until a patch is available. 6. Regularly backup critical data and ensure the ability to quickly restore systems in case of a successful attack.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48655

Oct 25, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-48655. See article

Oct 25, 2024 at 5:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 25, 2024 at 5:38 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.8%)

Oct 26, 2024 at 9:53 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 29, 2024 at 8:40 PM / nvd
Static CVE Timeline Graph

Affected Systems

Totaljs/total.js_cms
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

News

Security Bulletin 30 Oct 2024 - Cyber Security Agency of Singapore
A vulnerability in the SSH subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to execute ...
CVE-2024-48655
Critical Severity Description An issue in Total.js CMS v.1.0 allows a remote attacker to execute arbitrary code via the func.js file. Read more at https://www.tenable.com/cve/CVE-2024-48655
NA - CVE-2024-48655 - An issue in Total.js CMS v.1.0 allows a remote...
An issue in Total.js CMS v.1.0 allows a remote attacker to execute arbitrary code via the func.js file.
CVE-2024-48655 | Total.js CMS 1.0 func.js Privilege Escalation (Issue 49)
A vulnerability, which was classified as critical , has been found in Total.js CMS 1.0 . Affected by this issue is some unknown functionality of the file func.js . The manipulation leads to Privilege Escalation. This vulnerability is handled as CVE-2024-48655 . The attack may be launched remotely. There is no exploit available.
CVE-2024-48655 - Total.js CMS Code Execution Vulnerability
CVE ID : CVE-2024-48655 Published : Oct. 25, 2024, 5:15 p.m. 22 minutes ago Description : An issue in Total.js CMS v.1.0 allows a remote attacker to execute arbitrary code via the func.js file. Severity: 0.0 NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI