CVE-2020-11069

Name of the Vulnerable Software and Affected Versions TYPO3 CMS versions 9.0.0 through 9.5.16 TYPO3 CMS versions 10.0.0 through 10.4.1

Description A same-site request forgery vulnerability has been discovered in the backend user interface and install tool of TYPO3 CMS. This vulnerability can be triggered by a cross-site scripting vulnerability, allowing an attacker to trick a backend user into interacting with a malicious resource. The attacker can then execute scripts with the privileges of the victim's user session, potentially creating new admin users. The vulnerability requires an active and valid backend or install tool user session to be successful. Malicious payload, such as HTML containing JavaScript, can be provided by either an authenticated backend user or a non-authenticated user using a third-party extension.

Recommendations Update to TYPO3 version 9.5.17 to mitigate the issue. Update to TYPO3 version 10.4.2 to mitigate the issue. Consider deploying additional mitigation techniques, such as the Sudo Mode Extension, which intercepts modifications to security-relevant database tables and requires confirmation from the acting user. Implement a Content Security Policy to disallow script executions for specific locations, such as /fileadmin/ and /uploads/.