SB2019062507 - Multiple vulnerabilities in Typo3

Security Bulletin ID SB2019062507

Severity

High

Patch available

YES

Number of vulnerabilities 7

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2019-12748)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the t3:// URL handling functionality. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

PoC:

t3://url/?url=javascript:alert(1);

2) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions when uploading files via the Import/Export module. A remote authenticated user can bypass ACL restrictions and access import functionality.

This vulnerability does not allow uploading of dangerous files, but can be used in conjunction with other issues to elevate privileges within the application using other vulnerabilities.

3) Authorization bypass through user-controlled key (CVE-ID: N/A)

The vulnerability allows a local user to gain access to another user's session.

The vulnerability exists due to the application does not delete the session identifier after user logs out and stores it in cookies. An attacker with access to victim's browser can obtain session identifier and gain access to victim's account.

4) Code Injection (CVE-ID: N/A)

The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the backend API (ext:backend) configuration using Page TSconfig. A remote authenticated attacker with access to modify values for fields pages.TSconfig and pages.tsconfig_includes can send a specially crafted request and execute arbitrary PHP or JavaScript code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

5) Deserialization of Untrusted Data (CVE-ID: CVE-2019-12747)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within the FormEngine and DataHandle. A remote authenticated attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions within the element information component used to display properties of a certain record. A remote authenticated attacker can gain access to potentially sensitive information, such as list of reference forms or records.

7) Insecure deserialization (CVE-ID: CVE-2019-10912)

The disclosed vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insecure call of the unserialize() PHP function in untrusted user-input. A remote attacker can send specially crafted HTTP request to the affected system and delete arbitrary files on the system or display raw data output.

Remediation

Install update from vendor's website.

SB2019062507 - Multiple vulnerabilities in Typo3

Breakdown by Severity

Description

Remediation

References

Please verify you're human