FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

typo3 -- Missing access check in Extbase

Affected packages
typo3 < 7.6.8
typo3-lts < 6.2.24

Details

VuXML ID 3caf4e6c-4cef-11e6-a15f-00248c0c745d
Discovery 2016-05-24
Entry 2016-07-18

TYPO3 reports:

Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on the action that an attacker is able to execute.

References

CVE Name CVE-2016-5091
URL https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/
URL https://wiki.typo3.org/TYPO3_CMS_6.2.24
URL https://wiki.typo3.org/TYPO3_CMS_7.6.8