CVE-2020-15098

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions TYPO3 CMS versions 9.0.0 through 9.5.19 TYPO3 CMS versions 10.0.0 through 10.4.5

Description A flaw in the internal verification mechanism allows the generation of arbitrary checksums, enabling the injection of arbitrary data with a valid cryptographic message authentication code (HMAC-SHA1). This can lead to various attack chains, including potential privilege escalation, insecure deserialization, and remote code execution. The severity of this issue is high, considering the possible attack chains and the requirement of a valid backend user session.

Recommendations For TYPO3 CMS versions 9.0.0 through 9.5.19, update to version 9.5.20 or later. For TYPO3 CMS versions 10.0.0 through 10.4.5, update to version 10.4.6 or later.

Exploit

Fix

RCE

Information Disclosure

Use of a Broken Cryptographic Algorithm

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-325CWE-200CWE-327CWE-502CWE-20

Related Identifiers

BIT-TYPO3-2020-15098

CVE-2020-15098

GHSA-M5VR-3M74-JWXP

Affected Products

Typo3/Cms

CVE-2020-15098

Weakness Enumeration

Related Identifiers

Affected Products

References · 12