SB2019012203 - Multiple vulnerabilities in TYPO3

Security Bulletin ID SB2019012203

Severity

High

Patch available

YES

Number of vulnerabilities 10

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: N/A)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in the third party component websvg due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Code Injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in TYPO3 core API CommandUtility::checkCommand() method, available for usage for the third-party TYPO3 extensions. A remote attacker can send a specially crafted request to the affected extension and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system, however requires that a specific extension is used.

3) Remote code execution (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE'][‘fileDenyPattern’]. A remote attacker can upload *.phar, *.shtml, *.pl or *.cgi files which can be executed in certain web server setups.

Successful exploitation of the vulnerability may result in system compromise.

4) Cross-site scripting (CVE-ID: N/A)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in Form Framework due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

5) Cross-site scripting (CVE-ID: N/A)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in Bootstrap CSS toolkit due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

6) Cross-site scripting (CVE-ID: N/A)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in Fluid ViewHelpers due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

7) Cross-site scripting (CVE-ID: N/A)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in Language Pack Handling due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

8) Security restrictions bypass (CVE-ID: N/A)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to improper privileges and access control. A remote attacker can modify and create pages in the default language which actually should be disallowed.

9) Security restrictions bypass (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to database records containing insecure or empty credentials might be persisted when using the TYPO3 backend in order to create new backend user accounts. A remote attacker can retrieve additional information about installed system and third party extensions.

Successful exploitation of the vulnerability may result in some of the following:

account contains empty login credentials (username and/or password)
account is incomplete and contains weak credentials (username and/or password).

10) Information disclosure (CVE-ID: N/A)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an error in mechanisms used for configuration of RequireJS package loading. A remote attacker can retrieve additional information about installed system and third party extensions.

Remediation

Install update from vendor's website.

SB2019012203 - Multiple vulnerabilities in TYPO3

Breakdown by Severity

Description

Remediation

References

Please verify you're human