CVE-2020-26229 – typo3/cms-core

Package

Manager: composer
Name: typo3/cms-core
Vulnerable Version: >=10.0.0 <10.4.10

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.0027 pctl0.50228

Details

XML External Entity in Dashboard Widget ### Problem It has been discovered that RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with _libxml2_ version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. ### Solution Update to TYPO3 version 10.4.10 that fixes the problem described.

Metadata

Created: 2020-11-23T21:18:44Z
Modified: 2024-02-05T11:16:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-q9cp-mc96-m4w2/GHSA-q9cp-mc96-m4w2.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-q9cp-mc96-m4w2
Finding: F083
Auto approve: 1