CRITICAL🇬🇧 English

CVE-2020-15086

CVSS 9.8v3.1pub. 2020-07-29upd. 2024-11-21

In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message authentication code and can lead to remote code execution. To successfully exploit this vulnerability, an attacker must have access to at least one `Extbase` plugin or module action in a TYPO3 installation. This is fixed in version 7.6.5 of the "mediace" extension for TYPO3.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Typo3 Mediace

    APP
    Typo3
    7.6.2 – 7.6.5 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCEDeserialization
CWE
Referencje

Powiązane podatności

CVE-2011-3583CRITICAL9.8ten sam vendor

It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are...

CVE-2011-4628CRITICAL9.8ten sam vendor

TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to bypass authenticati...

CVE-2019-11831CRITICAL9.8ten sam vendor

The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does n...

CVE-2019-11830CRITICAL9.8ten sam vendor

PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x be...

CVE-2026-6553HIGH7.3ten sam vendor

Changing backend users' passwords via the user settings module results in storing the cleartext password in th...