Описание
Typo3 Information Disclosure
Failing to respect user groups of logged in users when caching queries, Extbase is susceptible to information disclosure. The query caching (introduced in Extbase 6.2) used to cache queries that query results for a specific user group were presented to a different group.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2014-3946
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2014-3946.yaml
- https://typo3.org/security/advisory/typo3-core-sa-2014-001
- https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001
- http://www.debian.org/security/2014/dsa-2942
- http://www.openwall.com/lists/oss-security/2014/06/03/2
Пакеты
typo3/cms
>= 6.2.0, < 6.2.3
6.2.3
Связанные уязвимости
The query caching functionality in the Extbase Framework component in TYPO3 6.2.0 before 6.2.3 does not properly validate group permissions, which allows remote authenticated users to read arbitrary queries via unspecified vectors.
The query caching functionality in the Extbase Framework component in TYPO3 6.2.0 before 6.2.3 does not properly validate group permissions, which allows remote authenticated users to read arbitrary queries via unspecified vectors.
The query caching functionality in the Extbase Framework component in ...