#VU18901 Improper access control in TYPO3
Vulnerability identifier: #VU18901
Vulnerability risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
TYPO3
Web applications /
CMS
Vendor: TYPO3
Description
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions when uploading files via the Import/Export module. A remote authenticated user can bypass ACL restrictions and access import functionality.
This vulnerability does not allow uploading of dangerous files, but can be used in conjunction with other issues to elevate privileges within the application using other vulnerabilities.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
TYPO3: 9.5.0 - 9.5.7, 9.3.0 - 9.4.0
External links
http://typo3.org/security/advisory/typo3-core-sa-2019-017/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
