SB2020072812 - Multiple vulnerabilities in TYPO3
Published: July 28, 2020 Updated: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-15086)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions within the internal verification mechanism, which leads to security restrictions bypass and privilege escalation.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-15099)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in the eID API subcomponent, which leads to security restrictions bypass and privilege escalation.
3) Improper access control (CVE-ID: CVE-2016-5091)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in Extbase request handling. A remote attacker can send a specially crafted request, bypass implemented security restrictions and execute arbitrary Extbase actions.
Remediation
Install update from vendor's website.