CVE-2020-15086

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-15086

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15086.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-15086

Aliases

GHSA-4h44-w6fm-548g

Published

2020-07-29T17:15:13Z

Modified

2024-05-30T02:25:08.672426Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message authentication code and can lead to remote code execution. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. This is fixed in version 7.6.5 of the "mediace" extension for TYPO3.

References

Affected packages

Git / github.com/friendsoftypo3/mediace

Affected ranges

Type: GIT
Repo: https://github.com/friendsoftypo3/mediace
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fa29ffd3e8b275782a8600d2406e1b1e5e16ae75

Affected versions

7.*

7.6.0

7.6.2

7.6.3

7.6.4