CVE-2020-26229

Sažetak

TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. Update to TYPO3 version 10.4.10 to fix the problem described.

Reference

https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2
https://typo3.org/security/advisory/typo3-core-sa-2020-012

CVSS

Base:	3.6
Impact:	4.9
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	HIGH	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	PARTIAL

CVSS vektor

AV:N/AC:H/Au:S/C:P/I:N/A:P

Zadnje važnije ažuriranje

01-12-2020 - 20:53

Objavljeno

23-11-2020 - 22:15