Lucene search

GitHub_MCVE-2020-26229

HistoryNov 23, 2020 - 10:15 p.m.

CVE-2020-26229

2020-11-2322:15:12

CWE-611

GitHub_M

web.nvd.nist.gov

typo3

cve-2020-26229

web content management system

php

rss widgets

xml external entity

security vulnerability

update

CVSS2

3.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:H/Au:S/C:P/I:N/A:P

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L

AI Score

4.2

Confidence

High

EPSS

0.001

Percentile

31.4%

JSON

TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. Update to TYPO3 version 10.4.10 to fix the problem described.

Affected configurations

Nvd

Vulners

Node

typo3typo3Range10.0.0–10.4.10

VendorProductVersionCPE
typo3typo3*cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
typo3	typo3	*	cpe:2.3:a:typo3:typo3::::::::

CNA Affected

[
  {
    "product": "TYPO3.CMS",
    "vendor": "TYPO3",
    "versions": [
      {
        "status": "affected",
        "version": ">= 10.0.0, < 10.4.10"
      }
    ]
  }
]