FreeBSDE6839625-FDFA-11E2-9430-20CF30E32F6Dtypo3 -- Multiple vulnerabilities in TYPO3 Core
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
0.015 Low
EPSS
Percentile
87.2%
Typo Security Team reports:
It has been discovered that TYPO3 Core is vulnerable to
Cross-Site Scripting and Remote Code Execution.
TYPO3 bundles flash files for video and audio playback. Old
versions of FlowPlayer and flashmedia are susceptible to
Cross-Site Scripting. No authentication is required to exploit
this vulnerability.
The file upload component and the File Abstraction Layer are
failing to check for denied file extensions, which allows
authenticated editors (even with limited permissions) to
upload php files with arbitrary code, which can then be
executed in web server’s context.
Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
0.015 Low
EPSS
Percentile
87.2%