CVE-2020-15086

Опубликовано: 29 июл. 2020

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message authentication code and can lead to remote code execution. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. This is fixed in version 7.6.5 of the "mediace" extension for TYPO3.

Ссылки

https://github.com/FriendsOfTYPO3/mediace/commit/fa29ffd3e8b275782a8600d2406e1b1e5e16ae75
Patch
Third Party Advisory
https://github.com/FriendsOfTYPO3/mediace/pull/31
Patch
Third Party Advisory
https://github.com/FriendsOfTYPO3/mediace/security/advisories/GHSA-4h44-w6fm-548g
Exploit
Patch
Third Party Advisory
https://github.com/FriendsOfTYPO3/mediace/commit/fa29ffd3e8b275782a8600d2406e1b1e5e16ae75
Patch
Third Party Advisory
https://github.com/FriendsOfTYPO3/mediace/pull/31
Patch
Third Party Advisory
https://github.com/FriendsOfTYPO3/mediace/security/advisories/GHSA-4h44-w6fm-548g
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:typo3:mediace:*:*:*:*:*:typo3:*:*

Версия от 7.6.2 (включая) до 7.6.5 (исключая)

EPSS

Процентиль: 88%

0.03678

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-20

NVD-CWE-Other

Связанные уязвимости

GHSA-4h44-w6fm-548g