Description
A missing access check allows an authenticated backend user to view and export data of translatable fields which are outside of the users access scope resulting in Information Disclosure.
Affected Software
Related
{"id": "TYPO3-EXT-SA-2020-016", "type": "typo3", "bulletinFamily": "software", "title": "Information Disclosure in extension \"Localization Manager\" (l10nmgr)", "description": "A missing access check allows an authenticated backend user to view and export data of translatable fields which are outside of the users access scope resulting in Information Disclosure.\n", "published": "2020-09-02T00:00:00", "modified": "2020-09-02T00:00:00", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, "href": "https://typo3.org/security/advisory/typo3-ext-sa-2020-016", "reporter": "TYPO3 Association", "references": [], "cvelist": ["CVE-2020-25025"], "immutableFields": [], "lastseen": "2021-08-10T12:24:00", "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-25025"]}, {"type": "github", "idList": ["GHSA-CV9J-78F7-W6V9"]}, {"type": "osv", "idList": ["OSV:GHSA-CV9J-78F7-W6V9"]}]}, "score": {"value": 4.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-25025"]}, {"type": "github", "idList": ["GHSA-CV9J-78F7-W6V9"]}, {"type": "nessus", "idList": ["TYPO3_DETECT.NASL"]}, {"type": "osv", "idList": ["OSV:GHSA-CV9J-78F7-W6V9"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "l10nmgr", "version": 7}, {"name": "l10nmgr", "version": 8}, {"name": "l10nmgr", "version": 8}, {"name": "l10nmgr", "version": 9}, {"name": "l10nmgr", "version": 9}]}, "epss": [{"cve": "CVE-2020-25025", "epss": "0.000540000", "percentile": "0.205960000", "modified": "2023-03-16"}], "vulnersScore": 4.5}, "affectedSoftware": [{"version": "7.3.3", "operator": "le", "name": "l10nmgr"}, {"version": "8.0.0", "operator": "ge", "name": "l10nmgr"}, {"version": "8.6.0", "operator": "le", "name": "l10nmgr"}, {"version": "9.0.0", "operator": "ge", "name": "l10nmgr"}, {"version": "9.1.0", "operator": "le", "name": "l10nmgr"}], "_state": {"dependencies": 1659966727, "score": 1684005285, "affected_software_major_version": 1677294086, "epss": 1679050336}, "_internal": {"score_hash": "85ac8b933a1b78e8ccfbadaeb265000b"}}
{"osv": [{"lastseen": "2023-04-11T01:30:12", "description": "The l10nmgr (aka Localization Manager) extension before 7.4.0, 8.x before 8.7.0, and 9.x before 9.2.0 for TYPO3 allows Information Disclosure (translatable fields).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-07-26T21:41:22", "type": "osv", "title": "Incorrect Authorization in TYPO3 extension", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25025"], "modified": "2023-04-11T01:29:57", "id": "OSV:GHSA-CV9J-78F7-W6V9", "href": "https://osv.dev/vulnerability/GHSA-cv9j-78f7-w6v9", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2023-06-06T14:37:58", "description": "The l10nmgr (aka Localization Manager) extension before 7.4.0, 8.x before 8.7.0, and 9.x before 9.2.0 for TYPO3 allows Information Disclosure (translatable fields).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-09-02T17:15:00", "type": "cve", "title": "CVE-2020-25025", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25025"], "modified": "2021-07-21T11:39:00", "cpe": [], "id": "CVE-2020-25025", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25025", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": []}], "github": [{"lastseen": "2023-06-06T15:20:04", "description": "The l10nmgr (aka Localization Manager) extension before 7.4.0, 8.x before 8.7.0, and 9.x before 9.2.0 for TYPO3 allows Information Disclosure (translatable fields).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-07-26T21:41:22", "type": "github", "title": "Incorrect Authorization in TYPO3 extension", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25025"], "modified": "2023-02-01T05:06:11", "id": "GHSA-CV9J-78F7-W6V9", "href": "https://github.com/advisories/GHSA-cv9j-78f7-w6v9", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}]}
Information Disclosure in extension "Localization Manager" (l10nmgr)
