TYPO3 up to 10.4.9 RSS Widget xml external entity reference

entryeditHistoryDiffjsonxmlCTI

A vulnerability has been found in TYPO3 up to 10.4.9 (Content Management System) and classified as critical. Affected by this vulnerability is an unknown code block of the component RSS Widget. Upgrading to version 10.4.10 eliminates this vulnerability.

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

User

Field

Commit Conf

Approve Conf

IDCommitedUserFieldChangeRemarksModeratedReasonC
1071649412/10/2020VulD...cvss2_nvd_basescore3.6nist.gov12/10/2020accepted90
1071649312/10/2020VulD...cve_cnaGitHub, Inc.nvd.nist.gov12/10/2020accepted70
1071649212/10/2020VulD...cvss2_nvd_aiPnvd.nist.gov12/10/2020accepted70
1071649112/10/2020VulD...cvss2_nvd_iiNnvd.nist.gov12/10/2020accepted70
1071649012/10/2020VulD...cvss2_nvd_ciPnvd.nist.gov12/10/2020accepted70
1071648912/10/2020VulD...cvss2_nvd_auSnvd.nist.gov12/10/2020accepted70
1071648812/10/2020VulD...cvss2_nvd_acHnvd.nist.gov12/10/2020accepted70
1071648712/10/2020VulD...cvss2_nvd_avNnvd.nist.gov12/10/2020accepted70
1071648612/10/2020VulD...cve_nvd_summaryTYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. Update to TYPO3 version 10.4.10 to fix the problem described.cve.mitre.org12/10/2020accepted70
1071648512/10/2020VulD...cve_assigned1601503200cve.mitre.org12/10/2020accepted70
1065404411/24/2020VulD...price_0day$5k-$25ksee documentation11/24/2020accepted90
1065404311/24/2020VulD...cvss3_meta_tempscore5.3see documentation11/24/2020accepted90
1065404211/24/2020VulD...cvss3_meta_basescore5.5see documentation11/24/2020accepted90
1065404111/24/2020VulD...cvss3_vuldb_tempscore5.311/24/2020accepted90
1065404011/24/2020VulD...cvss3_vuldb_basescore5.511/24/2020accepted90
1065403911/24/2020VulD...cvss2_vuldb_tempscore5.711/24/2020accepted90
1065403811/24/2020VulD...cvss2_vuldb_basescore6.511/24/2020accepted90
1065403711/24/2020VulD...cvss3_vuldb_eXderived from historical data11/24/2020accepted80
1065403611/24/2020VulD...cvss2_vuldb_eNDderived from historical data11/24/2020accepted80
1065403511/24/2020VulD...cvss2_vuldb_auSderived from historical data11/24/2020accepted80

Do you know our Splunk app?

Download it now for free!