CVE-2020-11069
published 2020-05-14CVE-2020-11069: In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a…
PriorityP338high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.70%
48.5th percentile
In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it's actually a same-site request forgery. Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a third party extension, e.g. file upload in a contact form with knowing the target location. To be successful, the attacked victim requires an active and valid backend or install tool user session at the time of the attack. This has been fixed in 9.5.17 and 10.4.2. The deployment of additional mitigation techniques is suggested as described below. - Sudo Mode Extension This TYPO3 extension intercepts modifications to security relevant database tables, e.g. those storing user accounts or storages of the file abstraction layer. Modifications need to confirmed again by the acting user providing their password again. This technique is known as sudo mode. This way, unintended actions happening in the background can be mitigated. - https://github.com/FriendsOfTYPO3/sudo-mode - https://extensions.typo3.org/extension/sudo_mode - Content Security Policy Content Security Policies tell (modern) browsers how resources served a particular site are handled. It is also possible to disallow script executions for specific locations. In a TYPO3 context, it is suggested to disallow direct script execution at least for locations /fileadmin/ and /upload
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms | >= 10.0.0 < 10.4.2 | 10.4.2 |
| typo3 | cms | >= 11.2.0 < 11.5.0 | 11.5.0 |
| typo3 | cms | >= 9.0.0 < 9.5.17 | 9.5.17 |
| typo3 | cms-core | >= 10.0.0 < 10.4.2 | 10.4.2 |
| typo3 | cms-core | >= 11.2.0 < 11.5.0 | 11.5.0 |
| typo3 | cms-core | >= 9.0.0 < 9.5.17 | 9.5.17 |
| typo3 | typo3 | — | — |
| typo3 | typo3 | 10.0.0 – 10.4.1 | — |
| typo3 | typo3 | >= 11.2.0 < 11.5.0 | 11.5.0 |
| typo3 | typo3 | 9.0.0 – 9.5.16 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa8.8HIGH
osv8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-Site-Request-Forgery in Backend
osv·2021-10-05·CVSS 8.8
CVE-2021-41113 [HIGH] Cross-Site-Request-Forgery in Backend
Cross-Site-Request-Forgery in Backend
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (8.2)
### Problem
It has been discovered that the new TYPO3 v11 feature that allows users to create and share [deep links in the backend user interface](https://typo3.org/article/typo3-version-112-escape-the-orbit#c12178) is vulnerable to cross-site-request-forgery.
The impact is the same as described in [TYPO3-CORE-SA-2020-006 (CVE-2020-11069)](https://typo3.org/security/advisory/typo3-core-sa-2020-006). However, it is not limited to the same site context and does not require the attacker to be authenticated. In a worst case scenario, the attacker could create a new admin user account to compromise the system.
To successfully carry out an attack, an attacker must tri
GHSA
Cross-Site-Request-Forgery in Backend
ghsa·2021-10-05·CVSS 8.8
CVE-2021-41113 [HIGH] CWE-309 Cross-Site-Request-Forgery in Backend
Cross-Site-Request-Forgery in Backend
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (8.2)
### Problem
It has been discovered that the new TYPO3 v11 feature that allows users to create and share [deep links in the backend user interface](https://typo3.org/article/typo3-version-112-escape-the-orbit#c12178) is vulnerable to cross-site-request-forgery.
The impact is the same as described in [TYPO3-CORE-SA-2020-006 (CVE-2020-11069)](https://typo3.org/security/advisory/typo3-core-sa-2020-006). However, it is not limited to the same site context and does not require the attacker to be authenticated. In a worst case scenario, the attacker could create a new admin user account to compromise the system.
To successfully carry out an attack, an attacker must tri
OSV
Backend Same-Site Request Forgery in TYPO3 CMS
osv·2020-05-13
CVE-2020-11069 [HIGH] Backend Same-Site Request Forgery in TYPO3 CMS
Backend Same-Site Request Forgery in TYPO3 CMS
> ### Meta
> * CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
> * CWE-352
> * CWE-346
### Problem
It has been discovered that backend user interface and install tool are vulnerable to same-origin request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server - scripts are then executed with the privileges of the victims' user session.
In a worst case scenario new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it’s actually a same-origin request forgery.
GHSA
Backend Same-Site Request Forgery in TYPO3 CMS
ghsa·2020-05-13
CVE-2020-11069 [HIGH] CWE-346 Backend Same-Site Request Forgery in TYPO3 CMS
Backend Same-Site Request Forgery in TYPO3 CMS
> ### Meta
> * CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
> * CWE-352
> * CWE-346
### Problem
It has been discovered that backend user interface and install tool are vulnerable to same-origin request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server - scripts are then executed with the privileges of the victims' user session.
In a worst case scenario new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it’s actually a same-origin request forgery.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-05-14
Published