typo3 -- Missing access check in Extbase

ID 3CAF4E6C-4CEF-11E6-A15F-00248C0C745D
Type freebsd
Reporter FreeBSD
Modified 2016-05-24T00:00:00


TYPO3 reports:

Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on the action that an attacker is able to execute.