Lucene search

K
githubGitHub Advisory DatabaseGHSA-C5WX-6C2C-F7RM
HistoryDec 13, 2022 - 5:11 p.m.

TYPO3 CMS vulnerable to Arbitrary Code Execution via Form Framework

2022-12-1317:11:46
CWE-94
GitHub Advisory Database
github.com
15
typo3
arbitrary code execution
form framework
typoscript
php code
exploit
update
elts
typo3-core-sa-2022-015

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

39.0%

Problem

Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it was possible to inject code instructions to be processed and executed via TypoScript as PHP code.

The existence of individual TypoScript instructions for a particular form item (known as formDefinitionOverrides) and a valid backend user account with access to the form module are needed to exploit this vulnerability.

Solution

Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.

References

Affected configurations

Vulners
Node
typo3cms_poll_system_extensionRange<12.1.1
OR
typo3cms_poll_system_extensionRange<11.5.20
OR
typo3cms_poll_system_extensionRange<10.4.33
OR
typo3cms_poll_system_extensionRange<12.1.1
OR
typo3cms_poll_system_extensionRange<11.5.20
OR
typo3cms_poll_system_extensionRange<10.4.33
OR
typo3cms_poll_system_extensionRange<9.5.38
OR
typo3cms_poll_system_extensionRange<8.7.49

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

39.0%