Server-side Request Forgery (SSRF) Affecting typo3/cms-core package, versions >=10.0.0, <10.4.2 >=9.0.0, <9.5.17
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-TYPO3CMSCORE-568942
- published 12 May 2020
- disclosed 12 May 2020
- credit Matteo Bonaker
Introduced: 12 May 2020
CVE-2020-11069 Open this link in a new tabHow to fix?
Upgrade typo3/cms-core to version 10.4.2, 9.5.17 or higher.
Overview
typo3/cms-core is a free open source enterprise content management system.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). It has been discovered that the backend user interface and install tool are vulnerable to same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server - scripts are then executed with the privileges of the victims’ user session.
In a worst case scenario new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it’s actually a same-site request forgery (SSRF).
Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a 3rd party extension - e.g. file upload in a contact form with knowing the target location.
The attacked victim requires an active and valid backend or install tool user session at the time of the attack to be successful.