TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 is susceptible to remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick.
For a successful exploit, the GhostScript binary gs
must be available on the server system.
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2019-11832.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2019-11832.yaml
github.com/github/advisory-database/pull/3530
github.com/TYPO3/typo3
github.com/TYPO3/typo3/commit/2c04eeac44733fda491f92c697f88c1337d19c79
github.com/TYPO3/typo3/commit/51fdb774a57ee30e8d60c0e33b4a0b92d775739e
github.com/TYPO3/typo3/commit/e845d90b82b2f72ab12a9e37f15082297832beca
nvd.nist.gov/vuln/detail/CVE-2019-11832
typo3.org/security/advisory/typo3-core-sa-2019-012