Lucene search

K
osvGoogleOSV:GHSA-C5WX-6C2C-F7RM
HistoryDec 13, 2022 - 5:11 p.m.

TYPO3 CMS vulnerable to Arbitrary Code Execution via Form Framework

2022-12-1317:11:46
Google
osv.dev
11
arbitrary code execution
form framework
typoscript
typo3 versions

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

39.0%

Problem

Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it was possible to inject code instructions to be processed and executed via TypoScript as PHP code.

The existence of individual TypoScript instructions for a particular form item (known as formDefinitionOverrides) and a valid backend user account with access to the form module are needed to exploit this vulnerability.

Solution

Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.

References

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

39.0%