TYPO3 fino 10.4.9 RSS Widget XML External Entity

voceeditHistoryDiffjsonxmlCTI

Un punto critico di livello critico è stato rilevato in TYPO3 fino 10.4.9 (Content Management System). Interessato da questa vulnerabilità è una funzione sconosciuta del componente RSS Widget. L'aggiornamento alla versione 10.4.10 elimina questa vulnerabilità.

Sequenza temporale

Utente

Campo

Commit Conf

Approve Conf

IDImpegnatoUtenteCampoModificareOsservazioniModeratoMotivoC
1071649410/12/2020VulD...cvss2_nvd_basescore3.6nist.gov10/12/2020accettato90
1071649310/12/2020VulD...cve_cnaGitHub, Inc.nvd.nist.gov10/12/2020accettato70
1071649210/12/2020VulD...cvss2_nvd_aiPnvd.nist.gov10/12/2020accettato70
1071649110/12/2020VulD...cvss2_nvd_iiNnvd.nist.gov10/12/2020accettato70
1071649010/12/2020VulD...cvss2_nvd_ciPnvd.nist.gov10/12/2020accettato70
1071648910/12/2020VulD...cvss2_nvd_auSnvd.nist.gov10/12/2020accettato70
1071648810/12/2020VulD...cvss2_nvd_acHnvd.nist.gov10/12/2020accettato70
1071648710/12/2020VulD...cvss2_nvd_avNnvd.nist.gov10/12/2020accettato70
1071648610/12/2020VulD...cve_nvd_summaryTYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. Update to TYPO3 version 10.4.10 to fix the problem described.cve.mitre.org10/12/2020accettato70
1071648510/12/2020VulD...cve_assigned1601503200cve.mitre.org10/12/2020accettato70
1065404424/11/2020VulD...price_0day$5k-$25ksee documentation24/11/2020accettato90
1065404324/11/2020VulD...cvss3_meta_tempscore5.3see documentation24/11/2020accettato90
1065404224/11/2020VulD...cvss3_meta_basescore5.5see documentation24/11/2020accettato90
1065404124/11/2020VulD...cvss3_vuldb_tempscore5.324/11/2020accettato90
1065404024/11/2020VulD...cvss3_vuldb_basescore5.524/11/2020accettato90
1065403924/11/2020VulD...cvss2_vuldb_tempscore5.724/11/2020accettato90
1065403824/11/2020VulD...cvss2_vuldb_basescore6.524/11/2020accettato90
1065403724/11/2020VulD...cvss3_vuldb_eXderived from historical data24/11/2020accettato80
1065403624/11/2020VulD...cvss2_vuldb_eNDderived from historical data24/11/2020accettato80
1065403524/11/2020VulD...cvss2_vuldb_auSderived from historical data24/11/2020accettato80

Do you want to use VulDB in your project?

Use the official API to access entries easily!