Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                 FreeBSD typo3 -- multiple vulnerabilities
                                14 May 2020


        AusCERT Security Bulletin Summary

Product:           typo3
Publisher:         FreeBSD
Operating System:  FreeBSD
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Privileged Data          -- Remote/Unauthenticated      
                   Execute Arbitrary Code/Commands -- Existing Account            
                   Delete Arbitrary Files          -- Remote with User Interaction
                   Cross-site Request Forgery      -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-11069 CVE-2020-11067 CVE-2020-11066
                   CVE-2020-11065 CVE-2020-11064 CVE-2020-11063

Original Bulletin: 

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than FreeBSD. It is recommended that administrators
         running typo3 check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports

typo3 -- multiple vulnerabilities

Affected packages
  typo3-9-php72  < 9.5.17
  typo3-9-php73  < 9.5.17
  typo3-9-php74  < 9.5.17
  typo3-10-php72 < 10.4.2
  typo3-10-php73 < 10.4.2
  typo3-10-php74 < 10.4.2


VuXML ID  59fabdf2-9549-11ea-9448-08002728f74c
Discovery 2020-05-12
Entry     2020-05-13

Typo3 News:

    CVE-2020-11063: TYPO3-CORE-SA-2020-001: Information Disclosure in Password

    It has been discovered that time-based attacks can be used with the
    password reset functionality for backend users. This allows an attacker to
    verify whether a backend user account with a given email address exists or

    CVE-2020-11064: TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine

    It has been discovered that HTML placeholder attributes containing data of
    other database records are vulnerable to cross-site scripting. A valid
    backend user account is needed to exploit this vulnerability.

    CVE-2020-11065: TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link

    It has been discovered that link tags generated by typolink functionality
    are vulnerable to cross-site scripting - properties being assigned as HTML
    attributes have not been parsed correctly.

    CVE-2020-11066: TYPO3-CORE-SA-2020-004: Class destructors causing
    side-effects when being unserialized

    Calling unserialize() on malicious user-submitted content can result in the
    following scenarios:

    - trigger deletion of arbitrary directory in file system (if writable for
    web server)

    - trigger message submission via email using identity of web site (mail

    Another insecure deserialization vulnerability is required to actually
    exploit mentioned aspects.

    CVE-2020-11067: TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend
    User Settings

    It has been discovered that backend user settings (in $BE_USER->uc) are
    vulnerable to insecure deserialization. In combination with vulnerabilities
    of 3rd party components this can lead to remote code execution. A valid
    backend user account is needed to exploit this vulnerability.

    CVE-2020-11069: TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to
    Backend User Interface

    It has been discovered that the backend user interface and install tool are
    vulnerable to same-site request forgery. A backend user can be tricked into
    interacting with a malicious resource an attacker previously managed to
    upload to the web server - scripts are then executed with the privileges of
    the victims' user session.

    In a worst case scenario new admin users can be created which can directly
    be used by an attacker. The vulnerability is basically a cross-site request
    forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) -
    but happens on the same target host - thus, it' actually a same-site
    request forgery (SSRF).

    Malicious payload such as HTML containing JavaScript might be provided by
    either an authenticated backend user or by a non-authenticated user using a
    3rd party extension - e.g. file upload in a contact form with knowing the
    target location.

    The attacked victim requires an active and valid backend or install tool
    user session at the time of the attack to be successful.



CVE Name CVE-2020-11063
CVE Name CVE-2020-11064
CVE Name CVE-2020-11065
CVE Name CVE-2020-11066
CVE Name CVE-2020-11067
CVE Name CVE-2020-11069
URL      https://get.typo3.org/release-notes/10.4.2
URL      https://get.typo3.org/release-notes/9.5.17
URL      https://typo3.org/article/
URL      https://typo3.org/security/advisory/typo3-core-sa-2020-001
URL      https://typo3.org/security/advisory/typo3-core-sa-2020-002
URL      https://typo3.org/security/advisory/typo3-core-sa-2020-003
URL      https://typo3.org/security/advisory/typo3-core-sa-2020-004
URL      https://typo3.org/security/advisory/typo3-core-sa-2020-005
URL      https://typo3.org/security/advisory/typo3-core-sa-2020-006

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967