CVE-2020-26229

Name of the Vulnerable Software and Affected Versions TYPO3 versions 10.4.0 through 10.4.9

Description The issue concerns XML external entity processing in RSS widgets, which is reasonable but theoretical, as it could not be reproduced with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled by default and cannot be exploited. A valid backend user account is also required.

Recommendations Update to TYPO3 version 10.4.10 to fix the problem described. As a temporary workaround, consider restricting access to RSS widgets until the update is applied. Additionally, ensure that libxml2 version 2.9 or later is used, as it disables XML external entity processing by default.