CVE-2020-26229

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-26229

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26229.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-26229

Aliases

Related

GHSA-q9cp-mc96-m4w2

Published

2020-11-23T22:15:12Z

Modified

2025-02-19T03:10:35.448789Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L CVSS Calculator

Summary

[none]

Details

TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. Update to TYPO3 version 10.4.10 to fix the problem described.

References

Affected packages

Git / github.com/typo3/typo3.cms

Affected ranges

Type: GIT
Repo: https://github.com/typo3/typo3.cms
Events: Introduced

c91b70e450c52d29ffb08115fffbb7832b15a330

Fixed

05dd328bdc752c647316be991e593a79e71a1b08

Affected versions

v10.*

v10.0.0

v10.1.0

v10.2.0

v10.3.0

v10.4.0

v10.4.1

v10.4.2

v10.4.3

v10.4.4

v10.4.5

v10.4.6

v10.4.7

v10.4.8

v10.4.9