PT-2017-3962 · Typo3 · Typo3

Alex Kellner

Published

2017-01-23

Updated

2022-05-17

CVE-2016-5091

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions TYPO3 versions 4.3.0 through 6.2.24 TYPO3 versions 7.x through 7.6.8 TYPO3 version 8.1.1

Description The issue allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase action. It is caused by deserialization problems in the Extbase extension of the TYPO3 content management system. Exploitation of the issue may allow a remote attacker to execute arbitrary code.

Recommendations For TYPO3 versions 4.3.0 through 6.2.24, update to version 6.2.24 or later. For TYPO3 versions 7.x through 7.6.8, update to version 7.6.8 or later. For TYPO3 version 8.1.1, update to a later version.

Exploit

Fix

RCE

Use of a Broken Cryptographic Algorithm

Information Disclosure

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-254CWE-20CWE-327CWE-325CWE-200CWE-502

Related Identifiers

BDU:2020-04846

CVE-2016-5091

GHSA-JXG5-35FJ-CCWF

GHSA-M5VR-3M74-JWXP

Affected Products

Typo3

PT-2017-3962 · Typo3 · Typo3

CVE-2016-5091

Weakness Enumeration

Related Identifiers

Affected Products

References · 18