CVE-2020-15099
published 2020-07-29CVE-2020-15099: In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages…
PriorityP352high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
1.78%
75.5th percentile
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php, which again contains the encryptionKey as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, this allows the ability to completely retrieve, manipulate or delete database contents. This includes creating an administration user account - which can be used to trigger remote code execution by injecting custom extensions. This has been patched in versions 9.5.20 and 10.4.6.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| friendsoftypo3 | mediace | >= 7.6.2 < 7.6.5 | 7.6.5 |
| typo3 | cms | >= 10.0.0 < 10.4.6 | 10.4.6 |
| typo3 | cms | >= 9.0.0 < 9.5.20 | 9.5.20 |
| typo3 | cms-core | >= 10.0.0 < 10.4.6 | 10.4.6 |
| typo3 | cms-core | >= 9.0.0 < 9.5.20 | 9.5.20 |
| typo3 | typo3 | >= 10.0.0 < 10.4.6 | 10.4.6 |
| typo3 | typo3 | >= 9.0.0 < 9.5.20 | 9.5.20 |
| typo3 | typo3_cms | — | — |
| typo3 | typo3_cms | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa8.1HIGH
osv8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Exposure of Sensitive Information to an Unauthorized Actor in TYPO3 CMS
osv·2020-07-29
CVE-2020-15099 [HIGH] Exposure of Sensitive Information to an Unauthorized Actor in TYPO3 CMS
Exposure of Sensitive Information to an Unauthorized Actor in TYPO3 CMS
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (7.5)
> * CWE-20, CWE-200
### Problem
In case an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal _encryptionKey_ was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch _typo3conf/LocalConfiguration.php_ which again contains the _encryptionKey_ as well as credentials of the database management system being used.
In case a database server is directly accessible either via internet or in a shared hosting network, this allows to completely retrieve, manipul
OSV
Potential Remote Code Execution in TYPO3 with mediace extension
osv·2020-07-29·CVSS 8.1
CVE-2020-15086 [HIGH] Potential Remote Code Execution in TYPO3 with mediace extension
Potential Remote Code Execution in TYPO3 with mediace extension
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (9.1)
> * CWE-325, CWE-20, CWE-200, CWE-502
### Problem
It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains as described below.
* [TYPO3-CORE-SA-2020-007](https://typo3.org/security/advisory/typo3-core-sa-2020-007), [CVE-2020-15099](https://nvd.nist.gov/vuln/detail/CVE-2020-15099): Potential Privilege Escalation
+ the database server used for a TYPO3 installation must be accessible for an attacker (either via internet or shared hosting network)
+
OSV
Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS
osv·2020-07-29·CVSS 8.1
CVE-2020-15098 [HIGH] Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS
Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (8.2)
> * CWE-325, CWE-20, CWE-200, CWE-502
### Problem
It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains as described below.
* [TYPO3-CORE-SA-2020-007](https://typo3.org/security/advisory/typo3-core-sa-2020-007), [CVE-2020-15099](https://nvd.nist.gov/vuln/detail/CVE-2020-15099): Potential Privilege Escalation
+ the database server used for a TYPO3 installation must be accessible for an attacker (either via internet
GHSA
Potential Remote Code Execution in TYPO3 with mediace extension
ghsa·2020-07-29·CVSS 8.1
CVE-2020-15086 [HIGH] CWE-20 Potential Remote Code Execution in TYPO3 with mediace extension
Potential Remote Code Execution in TYPO3 with mediace extension
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (9.1)
> * CWE-325, CWE-20, CWE-200, CWE-502
### Problem
It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains as described below.
* [TYPO3-CORE-SA-2020-007](https://typo3.org/security/advisory/typo3-core-sa-2020-007), [CVE-2020-15099](https://nvd.nist.gov/vuln/detail/CVE-2020-15099): Potential Privilege Escalation
+ the database server used for a TYPO3 installation must be accessible for an attacker (either via internet or shared hosting network)
+
GHSA
Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS
ghsa·2020-07-29·CVSS 8.1
CVE-2020-15098 [HIGH] CWE-20 Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS
Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (8.2)
> * CWE-325, CWE-20, CWE-200, CWE-502
### Problem
It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains as described below.
* [TYPO3-CORE-SA-2020-007](https://typo3.org/security/advisory/typo3-core-sa-2020-007), [CVE-2020-15099](https://nvd.nist.gov/vuln/detail/CVE-2020-15099): Potential Privilege Escalation
+ the database server used for a TYPO3 installation must be accessible for an attacker (either via internet
GHSA
Exposure of Sensitive Information to an Unauthorized Actor in TYPO3 CMS
ghsa·2020-07-29
CVE-2020-15099 [HIGH] CWE-20 Exposure of Sensitive Information to an Unauthorized Actor in TYPO3 CMS
Exposure of Sensitive Information to an Unauthorized Actor in TYPO3 CMS
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (7.5)
> * CWE-20, CWE-200
### Problem
In case an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal _encryptionKey_ was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch _typo3conf/LocalConfiguration.php_ which again contains the _encryptionKey_ as well as credentials of the database management system being used.
In case a database server is directly accessible either via internet or in a shared hosting network, this allows to completely retrieve, manipul
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-07-29
Published