Broken Access Control

Affecting typo3/cms-core package, versions >=8.0.0, <8.7.23 || >=9.0.0, <9.5.4

Do your applications use this vulnerable package? Test your applications

Overview

typo3/cms-core is a open source enterprise content management system.

Affected versions of this package are vulnerable to Broken Access Control. Backend users having limited access to specific languages are capable of modifying and creating pages in the default language which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability.

Remediation

Upgrade typo3/cms-core to version 8.7.23, 9.5.4 or higher.

References

CVSS Score

5.4
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C
Credit
Sascha Egerer
CWE
CWE-284
Snyk ID
SNYK-PHP-TYPO3CMSCORE-73580
Disclosed
22 Jan, 2019
Published
22 Jan, 2019