Multiple vulnerabilities in Typo3 CMS
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | N/A |
| CWE-ID | CWE-592 CWE-502 CWE-89 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
TYPO3 Web applications / CMS |
| Vendor | TYPO3 |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Authentication bypass
EUVDB-ID: #VU13827
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-592 - Authentication Bypass Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication authentication process.
The vulnerability exists due to an error within the Salted Password system extension (ext:saltedpasswords) when using hashing methods which are related by PHP class inheritance. A remote attacker can bypass authentication and login under any user account using an existing username.
Successful exploitation requires that MD5 is used as a default hashing algorithm (not the default configuration).
Mitigation
Update to version 7.6.30, 8.7.17 or 9.3.1.
Vulnerable software versionsTYPO3: 7.6.0 - 9.3.0
External linkshttp://typo3.org/security/advisory/typo3-core-sa-2018-001/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Deserialization of untrusted data
EUVDB-ID: #VU13828
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable application.
The vulnerability exists due to Typo3 does not check content type of files and allows uploading of Phar files. A remote attacker with valid user account can upload a malicious phar file with a safe extension (e.g. jpg) and execute it on the system with privileges of the web server account.
Successful exploitation of the vulnerability allows remote PHP code execution but requires valid user credentials.
Mitigation
Update to version 7.6.30, 8.7.17 or 9.3.1.
Vulnerable software versionsTYPO3: 7.6.0 - 9.3.0
External linkshttp://typo3.org/security/advisory/typo3-core-sa-2018-002/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) SQL injection
EUVDB-ID: #VU13829
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionMitigation
Update to version 8.7.17 or 9.3.1.
Vulnerable software versionsTYPO3: 8.0.0 - 9.3.0
External linkshttp://typo3.org/security/advisory/typo3-core-sa-2018-003/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Insecure deserialization
EUVDB-ID: #VU13830
Risk: Medium
CVSSv3.1: 5.8 [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to compromise vulnerable system.
The vulnerability exists due to improper sanitization of user-supplied data in the Form Framework (system extension "form") when being used with the additional PHP PECL package “yaml”. A privileged attacker can upload a specially crafted form template and execute arbitrary PHP code on the server.
Successful exploitation of the vulnerability requires that setting "yaml.decode_php" option is enabled.
Mitigation
Update to version 8.7.17 or 9.3.1.
Vulnerable software versionsTYPO3: 8.0.0 - 9.3.0
External linkshttp://typo3.org/security/advisory/typo3-core-sa-2018-004/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
