Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:BIT-TYPO3-2020-15098
HistoryMar 06, 2024 - 11:11 a.m.

BIT-typo3-2020-15098

2024-03-0611:11:48
Google
osv.dev
4
typo3 cms
arbitrary checksum generation
privilege escalation
insecure deserialization
remote code execution
patched version
security vulnerability

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

70.7%

JSON

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains including potential privilege escalation, insecure deserialization & remote code execution. The overall severity of this vulnerability is high based on mentioned attack chains and the requirement of having a valid backend user session (authenticated). This has been patched in versions 9.5.20 and 10.4.6.

CPENameOperatorVersion
typo3lt10.4.6
typo3lt9.5.20
typo3ge10.0.0
typo3ge9.0.0

Related

ubuntucve 1
cvelist 1
nvd 1
friendsofphp 2
veracode 2
cve 1
prion 1
osv 2
freebsd 1
openvas 1
nessus 1
typo3 1
github 1
ubuntucve
ubuntucve
CVE-2020-15098
2020-07-29 00:00:00
cvelist
cvelist
CVE-2020-15098 Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS
2020-07-29 16:15:25
nvd
nvd
CVE-2020-15098
2020-07-29 17:15:13
friendsofphp
friendsofphp
TYPO3-CORE-SA-2020-008: Sensitive Information Disclosure
2020-07-28 08:18:38
TYPO3-CORE-SA-2020-008: Sensitive Information Disclosure
2020-07-28 08:18:38
veracode
veracode
Insecure Cryptography
2020-07-30 02:33:31
Information Disclosure
2020-08-03 06:29:59
cve
cve
CVE-2020-15098
2020-07-29 17:15:13
prion
prion
Deserialization of untrusted data
2020-07-29 17:15:00
osv
osv
CVE-2020-15098
2020-07-29 17:15:13
Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS
2020-07-29 16:15:19
freebsd
freebsd
typo3 -- multiple vulnerabilities
2020-07-28 00:00:00
openvas
openvas
TYPO3 9.0.0 < 9.5.20, 10.0.0 < 10.4.6 Multiple Vulnerabilities (TYPO3-CORE-SA-2020-007, TYPO3-CORE-SA-2020-008)
2020-07-30 00:00:00
nessus
nessus
FreeBSD : typo3 -- multiple vulnerabilities (eab964f8-d632-11ea-9172-4c72b94353b5)
2020-08-06 00:00:00
typo3
typo3
Sensitive Information Disclosure
2020-07-28 00:00:00
github
github
Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS
2020-07-29 16:15:19

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

70.7%

JSON
Related for OSV:BIT-TYPO3-2020-15098
ubuntucve1cvelist1nvd1friendsofphp2veracode2cve1prion1osv2freebsd1openvas1nessus1typo31github1