CVE-2008-5801 - Code Injection vulnerability in Typo3 Dictionary Extension

Publication

2008-12-31

Last modification

2017-08-08

Summary

Unspecified vulnerability in the Dictionary (rtgdictionary) extension 0.1.9 and earlier for TYPO3 allows attackers to execute arbitrary code via unknown vectors.

Description

The rtgdictionary extension for TYPO3 is prone to a vulnerability that lets remote attackers upload and execute arbitrary script code on an affected computer with the privileges of the webserver process. The issue occurs because the application fails to sanitize user-supplied input. This issue affects rtgdictionary 0.1.9 and prior versions.

Solution

The vendor has released an update. Please see the references for more information. Robert Gonda rtgdictionary 0.1.9 Robert Gonda rtgdictionary_0.2.1.t3x http://typo3.org/fileadmin/ter/r/t/rtgdictionary_0.2.1.t3x

Exploit

Attackers can exploit this issue via a browser.

Classification

CWE-94 - Code Injection

Risk level (CVSS AV:N/AC:L/Au:N/C:C/I:C/A:C)

High

10.0

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Typo3 Dictionary Extension  0.1.9 , 0.1.8 , 0.1.7 , 0.1.6 , 0.1.5