Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1685 FreeBSD typo3 -- multiple vulnerabilities 14 May 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: typo3 Publisher: FreeBSD Operating System: FreeBSD UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Existing Account Delete Arbitrary Files -- Remote with User Interaction Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-11069 CVE-2020-11067 CVE-2020-11066 CVE-2020-11065 CVE-2020-11064 CVE-2020-11063 Original Bulletin: http://www.vuxml.org/freebsd/59fabdf2-9549-11ea-9448-08002728f74c.html Comment: This advisory references vulnerabilities in products which run on platforms other than FreeBSD. It is recommended that administrators running typo3 check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection typo3 -- multiple vulnerabilities Affected packages typo3-9-php72 < 9.5.17 typo3-9-php73 < 9.5.17 typo3-9-php74 < 9.5.17 typo3-10-php72 < 10.4.2 typo3-10-php73 < 10.4.2 typo3-10-php74 < 10.4.2 Details VuXML ID 59fabdf2-9549-11ea-9448-08002728f74c Discovery 2020-05-12 Entry 2020-05-13 Typo3 News: CVE-2020-11063: TYPO3-CORE-SA-2020-001: Information Disclosure in Password Reset It has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to verify whether a backend user account with a given email address exists or not. CVE-2020-11064: TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine It has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. CVE-2020-11065: TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling It has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting - properties being assigned as HTML attributes have not been parsed correctly. CVE-2020-11066: TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when being unserialized Calling unserialize() on malicious user-submitted content can result in the following scenarios: - trigger deletion of arbitrary directory in file system (if writable for web server) - trigger message submission via email using identity of web site (mail relay) Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. CVE-2020-11067: TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend User Settings It has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of 3rd party components this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability. CVE-2020-11069: TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface It has been discovered that the backend user interface and install tool are vulnerable to same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server - scripts are then executed with the privileges of the victims' user session. In a worst case scenario new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it' actually a same-site request forgery (SSRF). Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a 3rd party extension - e.g. file upload in a contact form with knowing the target location. The attacked victim requires an active and valid backend or install tool user session at the time of the attack to be successful. [source] References CVE Name CVE-2020-11063 CVE Name CVE-2020-11064 CVE Name CVE-2020-11065 CVE Name CVE-2020-11066 CVE Name CVE-2020-11067 CVE Name CVE-2020-11069 URL https://get.typo3.org/release-notes/10.4.2 URL https://get.typo3.org/release-notes/9.5.17 URL https://typo3.org/article/ typo3-1042-and-9517-security-releases-published URL https://typo3.org/security/advisory/typo3-core-sa-2020-001 URL https://typo3.org/security/advisory/typo3-core-sa-2020-002 URL https://typo3.org/security/advisory/typo3-core-sa-2020-003 URL https://typo3.org/security/advisory/typo3-core-sa-2020-004 URL https://typo3.org/security/advisory/typo3-core-sa-2020-005 URL https://typo3.org/security/advisory/typo3-core-sa-2020-006 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXrx682aOgq3Tt24GAQibFRAAhsAQUq8FyPXW8kbdGwHbgschD+dG2Mlx 6S0fhY5dzEb8sOTfFvxXh6gViTSSBIJNqMaxa0Njrg8w7DxNqxJ9u0QBmwpNJp7K 9prahYMR3P7uj6cu9qflWLKxb8669ox6jC8wnBd1ylqWpGGMkWZ6fTikqh/ng3hH SMrdeTvVX+lOS5+hi98gs+4kVD/Cor57hS0giKP9K8y8aoVDcRJizMcf6pdtN4qn fWStlidFWsEiFcXg66OvHBqq6s8HfVJ4KqNurq94LTJgi1STqwvdMqMZzazvlcVX UXAr2Fr0/p+ezH3kD8LQOW78SyiOkCpPEL0Zq9jakaitjc1ak+5SiGA+PkNLvyvT 86fHNxUooduEtG2LaY9+NXn3NZmbgzb1TNz4vcdjSac5k75REd2N0n/8iKL5rf91 aaufkikUXj1H/p2M5m+N/XHozPJcaeaYCJgQ0wlFGCg4TkBbmeggbeYCsty1tKGu xp4UrVo9KxuU5afj2553/ncSzq55fYPuk0J3CPXzEzFaJ7O00oIcaudfeKefjnUn RMzwcZtQ1cB6+goOX685bHbpHCM45ntSLhxzNZdfWLz1bwZP57TjHGP374nvpdII 2mcyHboZQ4QBPcY5bPtgGzbjpmvooexW/Z8oI2q+BWnS3Gmq1sg4EfcnLu2Owtww qK8/HzWu6z8= =BXb6 -----END PGP SIGNATURE-----