Vulnerabilities > CVE-2020-11069 - Unspecified vulnerability in Typo3

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

typo3

nessus

NVD

Published: 2020-05-14

Updated: 2021-11-04

Summary

In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it's actually a same-site request forgery. Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a third party extension, e.g. file upload in a contact form with knowing the target location. To be successful, the attacked victim requires an active and valid backend or install tool user session at the time of the attack. This has been fixed in 9.5.17 and 10.4.2. The deployment of additional mitigation techniques is suggested as described below. - Sudo Mode Extension This TYPO3 extension intercepts modifications to security relevant database tables, e.g. those storing user accounts or storages of the file abstraction layer. Modifications need to confirmed again by the acting user providing their password again. This technique is known as sudo mode. This way, unintended actions happening in the background can be mitigated. - https://github.com/FriendsOfTYPO3/sudo-mode - https://extensions.typo3.org/extension/sudo_mode - Content Security Policy Content Security Policies tell (modern) browsers how resources served a particular site are handled. It is also possible to disallow script executions for specific locations. In a TYPO3 context, it is suggested to disallow direct script execution at least for locations /fileadmin/ and /uploads/.

Vulnerable Configurations

Part	Description	Count
Application	Typo3 Typo3 Typo3 10.0.0 Typo3 Typo3 10.0.9 Typo3 Typo3 10.0.10 Typo3 Typo3 10.1.0 Typo3 Typo3 10.2.0 Typo3 Typo3 10.2.1 Typo3 Typo3 10.2.2 Typo3 Typo3 10.3.0 Typo3 Typo3 10.4.0 Typo3 Typo3 10.4.1 Typo3 Typo3 9.0.0 Typo3 Typo3 9.0.3 Typo3 Typo3 9.0.4 Typo3 Typo3 9.1.0 Typo3 Typo3 9.1.2 Typo3 Typo3 9.1.3 Typo3 Typo3 9.2.0 Typo3 Typo3 9.2.1 Typo3 Typo3 9.3.0 Typo3 Typo3 9.3.1 Typo3 Typo3 9.3.2 Typo3 Typo3 9.3.3 Typo3 Typo3 9.4.0 Typo3 Typo3 9.5.0 Typo3 Typo3 9.5.1 Typo3 Typo3 9.5.2 Typo3 Typo3 9.5.3 Typo3 Typo3 9.5.4 Typo3 Typo3 9.5.5 Typo3 Typo3 9.5.6 Typo3 Typo3 9.5.7 Typo3 Typo3 9.5.8 Typo3 Typo3 9.5.9 Typo3 Typo3 9.5.10 Typo3 Typo3 9.5.11 Typo3 Typo3 9.5.12 Typo3 Typo3 9.5.13 Typo3 Typo3 9.5.14 Typo3 Typo3 9.5.15 Typo3 Typo3 9.5.16	42

Nessus

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_59FABDF2954911EA944808002728F74C.NASL
description	Typo3 News : CVE-2020-11063: TYPO3-CORE-SA-2020-001: Information Disclosure in Password Reset It has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to verify whether a backend user account with a given email address exists or not. CVE-2020-11064: TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine It has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. CVE-2020-11065: TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling It has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting - properties being assigned as HTML attributes have not been parsed correctly. CVE-2020-11066: TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when being unserialized Calling unserialize() on malicious user-submitted content can result in the following scenarios : - trigger deletion of arbitrary directory in file system (if writable for web server) - trigger message submission via email using identity of website (mail relay) Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. CVE-2020-11067: TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend User Settings It has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of 3rd party components this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability. CVE-2020-11069: TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface It has been discovered that the backend user interface and install tool are vulnerable to same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server - scripts are then executed with the privileges of the victims
last seen	2020-05-21
modified	2020-05-14
plugin id	136596
published	2020-05-14
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/136596
title	FreeBSD : typo3 -- multiple vulnerabilities (59fabdf2-9549-11ea-9448-08002728f74c)

References

https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-pqg8-crx9-g8m4