TYPO3 à 10.4.9 RSS Widget XML External Entity

entréeeditHistoryDiffjsonxmlCTI

Une vulnérabilité qui a été classée critique a été trouvée dans TYPO3 à 10.4.9 (Content Management System). Affecté par cette vulnérabilité est une fonction inconnue du composant RSS Widget. Mettre à jour à la version 10.4.10 élimine cette vulnérabilité.

Domaine24/11/2020 08:0810/12/2020 07:4910/12/2020 07:53
nameTYPO3TYPO3TYPO3
componentRSS WidgetRSS WidgetRSS Widget
cwe611 (XML External Entity)611 (XML External Entity)611 (XML External Entity)
risk222
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prLLL
cvss3_vuldb_uiRRR
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
urlhttps://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2
confirm_urlhttps://typo3.org/security/advisory/typo3-core-sa-2020-012https://typo3.org/security/advisory/typo3-core-sa-2020-012https://typo3.org/security/advisory/typo3-core-sa-2020-012
nameUpgradeUpgradeUpgrade
cveCVE-2020-26229CVE-2020-26229CVE-2020-26229
date1606172400 (24/11/2020)1606172400 (24/11/2020)1606172400 (24/11/2020)
typeContent Management SystemContent Management SystemContent Management System
cvss2_vuldb_avNNN
cvss2_vuldb_acLLL
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss2_vuldb_rcCCC
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_auSSS
cvss2_vuldb_eNDNDND
cvss3_vuldb_eXXX
cvss2_vuldb_basescore6.56.56.5
cvss3_vuldb_basescore5.55.55.5
cvss3_meta_basescore5.55.55.5
price_0day$5k-$25k$5k-$25k$5k-$25k
version<=10.4.9<=10.4.9<=10.4.9
upgrade_version10.4.1010.4.1010.4.10
cvss2_vuldb_tempscore5.75.75.7
cvss3_vuldb_tempscore5.35.35.3
cvss3_meta_tempscore5.35.35.3
cve_assigned16015032001601503200
cve_nvd_summaryTYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. Update to TYPO3 version 10.4.10 to fix the problem described.TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. Update to TYPO3 version 10.4.10 to fix the problem described.
cvss2_nvd_avN
cvss2_nvd_acH
cvss2_nvd_auS
cvss2_nvd_ciP
cvss2_nvd_iiN
cvss2_nvd_aiP
cve_cnaGitHub, Inc.
cvss2_nvd_basescore3.6

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!