Attacker Value
High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2020-15099

Disclosure Date: July 29, 2020
CVE-2020-15099 CVSS v3 Base Score: 8.1
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) – either by using a different existing vulnerability or in case the internal encryptionKey was exposed – it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php, which again contains the encryptionKey as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, this allows the ability to completely retrieve, manipulate or delete database contents. This includes creating an administration user account – which can be used to trigger remote code execution by injecting custom extensions. This has been patched in versions 9.5.20 and 10.4.6.

Add Assessment

1
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Gives privileged accessUnauthenticatedDifficult to weaponizeVulnerable in uncommon configuration
Technical Analysis

The prerequisites are important:

  1. need encryptionKey from typo3conf/LocalConfiguration.php exposed
  2. need to have and identify a valid deserialization gadget chain (eg. with phpggc)
  3. need to identify the target PHP version (5.6, 7.2, 7.4, 8.1, etc ?) to be able to serialize the gadget chain and it to be executed correctly; is not leaked it may required to try all major versions manually

so weaponizing is difficult and requires luck and lot of technical informations

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.1 High
Impact Score:
5.9
Exploitability Score:
2.2
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
TYPO3 CMS >= 9.0.0, < 9.5.20
TYPO3 CMS >= 10.0.0, 10.4.6
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • typo3

Products

  • typo3

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis