Broken Access Control

Affecting typo3/cms package, versions >=8.0.0, <8.7.23 || >=9.0.0, <9.5.4

Overview

typo3/cms is a free open source Content Management Framework.

Affected versions of this package are vulnerable to Broken Access Control. Backend users having limited access to specific languages are capable of modifying and creating pages in the default language which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability.

Remediation

Upgrade typo3/cms to version 8.7.23, 9.5.4 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

5.4
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C
Credit
Sascha Egerer
CWE
CWE-284
Snyk ID
SNYK-PHP-TYPO3CMS-73577
Disclosed
22 Jan, 2019
Published
22 Jan, 2019