SB2013122101 - Multiple vulnerabilities in TYPO3

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2013122101

SB2013122101 - Multiple vulnerabilities in TYPO3

Published: December 21, 2013 Updated: November 18, 2020

Security Bulletin ID SB2013122101
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 17% Low 83%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2013-7078)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in the errorAction method in the ActionController base class in the Extbase Framework in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6, when the Rewritten Property Mapper is enabled,. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-7073)

The vulnerability allows a remote #AU# to gain access to sensitive information.

The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 does not check permissions, which allows remote authenticated editors to read arbitrary TYPO3 table columns via unspecified parameters.


3) Cryptographic issues (CVE-ID: CVE-2013-7075)

The vulnerability allows a remote #AU# to read and manipulate data.

The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated backend users to unserialize arbitrary PHP objects, delete arbitrary files, and possibly have other unspecified impacts via an unspecified parameter, related to a "missing signature."


4) Input validation error (CVE-ID: CVE-2013-7079)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Open redirect vulnerability in the OpenID extension in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.


5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-7081)

The vulnerability allows a remote #AU# to read and manipulate data.

The (old) Form Content Element component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated editors to generate arbitrary HMAC signatures and bypass intended access restrictions via unspecified vectors.


6) Cross-site scripting (CVE-ID: CVE-2013-7077)

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in the Backend User Administration Module in TYPO3 6.0.x before 6.0.12 and 6.1.x before 6.1.7. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


Remediation

Install update from vendor's website.

References