Vulnerabilities > CVE-2020-11066 - Unspecified vulnerability in Typo3
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
HIGH Summary
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the web site (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. This has been fixed in 9.5.17 and 10.4.2.
Vulnerable Configurations
Nessus
| NASL family | FreeBSD Local Security Checks |
| NASL id | FREEBSD_PKG_59FABDF2954911EA944808002728F74C.NASL |
| description | Typo3 News : CVE-2020-11063: TYPO3-CORE-SA-2020-001: Information Disclosure in Password Reset It has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to verify whether a backend user account with a given email address exists or not. CVE-2020-11064: TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine It has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. CVE-2020-11065: TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling It has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting - properties being assigned as HTML attributes have not been parsed correctly. CVE-2020-11066: TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when being unserialized Calling unserialize() on malicious user-submitted content can result in the following scenarios : - trigger deletion of arbitrary directory in file system (if writable for web server) - trigger message submission via email using identity of website (mail relay) Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. CVE-2020-11067: TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend User Settings It has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of 3rd party components this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability. CVE-2020-11069: TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface It has been discovered that the backend user interface and install tool are vulnerable to same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server - scripts are then executed with the privileges of the victims |
| last seen | 2020-05-21 |
| modified | 2020-05-14 |
| plugin id | 136596 |
| published | 2020-05-14 |
| reporter | This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
| source | https://www.tenable.com/plugins/nessus/136596 |
| title | FreeBSD : typo3 -- multiple vulnerabilities (59fabdf2-9549-11ea-9448-08002728f74c) |