CVE-2024-48655 – CVE-2024-48655 is a server-side JavaScript code... (How to Fix)

Q: What is the severity of CVE-2024-48655?

CVE-2024-48655 has a CVSS score of 8.8 (HIGH). CVE-2024-48655 is a server-side JavaScript code injection vulnerability in Total.js CMS v1.0 that allows remote attackers to execute arbitrary code via the func.js file. This enables complete system compromise of affected web servers. Organizations running Total.js CMS v1.0 are affected.

📋 TL;DR

CVE-2024-48655 is a server-side JavaScript code injection vulnerability in Total.js CMS v1.0 that allows remote attackers to execute arbitrary code via the func.js file. This enables complete system compromise of affected web servers. Organizations running Total.js CMS v1.0 are affected.

💻 Affected Systems

Products:

Total.js CMS

Versions: v1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of Total.js CMS v1.0 are vulnerable by default.

📦 What is this software?

Total.js by Totaljs

View all CVEs affecting Total.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with attacker gaining full control of the web server, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web server compromise, data theft, and potential ransomware deployment.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF rules, and least privilege principles are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available in GitHub issue and Medium article. Attack requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/totaljs/cms/issues/49

Restart Required: Yes

Instructions:

1. Check if running Total.js CMS v1.0. 2. Immediately upgrade to a newer version if available. 3. If no newer version exists, implement workarounds or migrate to alternative CMS.

🔧 Temporary Workarounds

Block func.js access

all

Restrict access to the vulnerable func.js file via web server configuration or WAF.

# Apache: RewriteRule ^/func\.js$ - [F,L]
# Nginx: location ~ /func\.js$ { deny all; }

Input validation hardening

all

Implement strict input validation and sanitization for all user-controlled parameters.

🧯 If You Can't Patch

Isolate affected systems in a dedicated network segment with strict egress filtering.
Implement web application firewall (WAF) rules to block malicious payloads targeting func.js.

🔍 How to Verify

Check if Vulnerable:

Check if Total.js CMS version is 1.0 by examining package.json or application metadata.

Check Version:

grep -r "version" package.json | grep -o '"1\.0"'

Verify Fix Applied:

Verify func.js file is no longer accessible or has been patched with proper input validation.

📡 Detection & Monitoring

Log Indicators:

Unusual POST/GET requests to func.js
JavaScript code execution patterns in logs
Unexpected process spawns from web server

Network Indicators:

HTTP requests containing malicious JavaScript payloads
Outbound connections from web server to suspicious IPs

SIEM Query:

source="web_logs" AND (uri="/func.js" OR uri="*func.js*") AND (method="POST" OR method="GET")

📊 Metadata

CVE ID: CVE-2024-48655

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: October 25, 2024

Last Updated: May 27, 2025

🔗 References

https://github.com/totaljs/cms/issues/49 Exploit,Issue Tracking,Vendor Advisory
https://medium.com/%400x0d0x0a/cve-2024-48655-server-side-javascript-code-injection-in-total-js-cms-c5fc18359bdc Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-48655, you might also want to check these: