Attacker Value
High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2020-15099

Disclosure Date: July 29, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) – either by using a different existing vulnerability or in case the internal encryptionKey was exposed – it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php, which again contains the encryptionKey as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, this allows the ability to completely retrieve, manipulate or delete database contents. This includes creating an administration user account – which can be used to trigger remote code execution by injecting custom extensions. This has been patched in versions 9.5.20 and 10.4.6.

Add Assessment

1
Ratings
Technical Analysis

The prerequisites are important:

  1. need encryptionKey from typo3conf/LocalConfiguration.php exposed
  2. need to have and identify a valid deserialization gadget chain (eg. with phpggc)
  3. need to identify the target PHP version (5.6, 7.2, 7.4, 8.1, etc ?) to be able to serialize the gadget chain and it to be executed correctly; is not leaked it may required to try all major versions manually

so weaponizing is difficult and requires luck and lot of technical informations

CVSS V3 Severity and Metrics
Base Score:
8.1 High
Impact Score:
5.9
Exploitability Score:
2.2
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • typo3

Products

  • typo3

Additional Info

Technical Analysis