CVE-2020-11063: TYPO3-CORE-SA-2020-001: Information Disclosure in
Password Reset
It has been discovered that time-based attacks can be used with the
password reset functionality for backend users. This allows an attacker
to verify whether a backend user account with a given email address
exists or not.
CVE-2020-11064: TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form
Engine
It has been discovered that HTML placeholder attributes containing
data of other database records are vulnerable to cross-site scripting. A
valid backend user account is needed to exploit this vulnerability.
CVE-2020-11065: TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link
Handling
It has been discovered that link tags generated by typolink
functionality are vulnerable to cross-site scripting - properties being
assigned as HTML attributes have not been parsed correctly.
CVE-2020-11066: TYPO3-CORE-SA-2020-004: Class destructors causing
side-effects when being unserialized
Calling unserialize() on malicious user-submitted content can result
in the following scenarios:
- trigger deletion of arbitrary directory in file system (if writable
for web server)
- trigger message submission via email using identity of web site
(mail relay)
Another insecure deserialization vulnerability is required to actually
exploit mentioned aspects.
CVE-2020-11067: TYPO3-CORE-SA-2020-005: Insecure Deserialization in
Backend User Settings
It has been discovered that backend user settings (in $BE_USER->uc) are
vulnerable to insecure deserialization. In combination with
vulnerabilities of 3rd party components this can lead to remote code
execution. A valid backend user account is needed to exploit this
vulnerability.
CVE-2020-11069: TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to
Backend User Interface
It has been discovered that the backend user interface and install tool
are vulnerable to same-site request forgery. A backend user can be
tricked into interacting with a malicious resource an attacker
previously managed to upload to the web server - scripts are then
executed with the privileges of the victims’ user session.
In a worst case scenario new admin users can be created which can
directly be used by an attacker. The vulnerability is basically a
cross-site request forgery (CSRF) triggered by a cross-site scripting
vulnerability (XSS) - but happens on the same target host - thus, it’
actually a same-site request forgery (SSRF).
Malicious payload such as HTML containing JavaScript might be provided
by either an authenticated backend user or by a non-authenticated user
using a 3rd party extension - e.g. file upload in a contact form with
knowing the target location.
The attacked victim requires an active and valid backend or install
tool user session at the time of the attack to be successful.