6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
70.7%
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and
greater than or equal to 10.0.0 and less than 10.4.6, it has been
discovered that an internal verification mechanism can be used to generate
arbitrary checksums. This allows to inject arbitrary data having a valid
cryptographic message authentication code (HMAC-SHA1) and can lead to
various attack chains including potential privilege escalation, insecure
deserialization & remote code execution. The overall severity of this
vulnerability is high based on mentioned attack chains and the requirement
of having a valid backend user session (authenticated). This has been
patched in versions 9.5.20 and 10.4.6.
github.com/TYPO3/TYPO3.CMS/commit/85d3e70dff35a99ef53f4b561114acfa9e5c47e1
github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-m5vr-3m74-jwxp
launchpad.net/bugs/cve/CVE-2020-15098
nvd.nist.gov/vuln/detail/CVE-2020-15098
security-tracker.debian.org/tracker/CVE-2020-15098
typo3.org/security/advisory/typo3-core-sa-2016-013
typo3.org/security/advisory/typo3-core-sa-2020-008
www.cve.org/CVERecord?id=CVE-2020-15098
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
70.7%