Описание
TYPO3 Security Misconfiguration in Install Tool Cookie
It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.
Ссылки
- https://github.com/TYPO3/typo3/commit/13328b0f74ac589a20b021db814dfa672581c26a
- https://github.com/TYPO3/typo3/commit/918e50e4d20d88c7e40ad3bb134267d07706b0b1
- https://github.com/TYPO3/typo3/commit/a5359491e3fb3164a6ba96a66c8e67fbb9971a4c
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2018-12-11-4.yaml
- https://typo3.org/security/advisory/typo3-core-sa-2018-009
Пакеты
Наименование
typo3/cms
composer
Затронутые версииВерсия исправления
>= 7.0.0, < 7.6.32
7.6.32
Наименование
typo3/cms
composer
Затронутые версииВерсия исправления
>= 8.0.0, < 8.7.21
8.7.21
Наименование
typo3/cms
composer
Затронутые версииВерсия исправления
>= 9.0.0, < 9.5.2
9.5.2
8.1 High
CVSS3
Дефекты
CWE-1004
8.1 High
CVSS3
Дефекты
CWE-1004