Candidate: CVE-2020-15098
PublicDate: 2020-07-29 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15098
 https://github.com/TYPO3/TYPO3.CMS/commit/85d3e70dff35a99ef53f4b561114acfa9e5c47e1
 https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-m5vr-3m74-jwxp
 https://typo3.org/security/advisory/typo3-core-sa-2016-013
 https://typo3.org/security/advisory/typo3-core-sa-2020-008
Description:
 In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and
 greater than or equal to 10.0.0 and less than 10.4.6, it has been
 discovered that an internal verification mechanism can be used to generate
 arbitrary checksums. This allows to inject arbitrary data having a valid
 cryptographic message authentication code (HMAC-SHA1) and can lead to
 various attack chains including potential privilege escalation, insecure
 deserialization & remote code execution. The overall severity of this
 vulnerability is high based on mentioned attack chains and the requirement
 of having a valid backend user session (authenticated). This has been
 patched in versions 9.5.20 and 10.4.6.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: untriaged
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_typo3-src:
upstream_typo3-src: needs-triage
precise_typo3-src: ignored (out of standard support)
precise/esm_typo3-src: DNE
trusty_typo3-src: ignored (out of standard support)
trusty/esm_typo3-src: DNE
xenial_typo3-src: DNE
bionic_typo3-src: DNE
focal_typo3-src: DNE
devel_typo3-src: DNE