GHSA-ffcv-v6pw-qhrp

Suggest an improvement
Source
https://github.com/advisories/GHSA-ffcv-v6pw-qhrp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-ffcv-v6pw-qhrp/GHSA-ffcv-v6pw-qhrp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-ffcv-v6pw-qhrp
Aliases
Published
2024-10-08T22:18:27Z
Modified
2024-10-31T19:36:47.057995Z
Severity
  • 2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C CVSS Calculator
  • 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Denial of Service in TYPO3 Bookmark Toolbar
Details

Problem

Due to insufficient input validation, manipulated data saved in the bookmark toolbar of the backend user interface causes a general error state, blocking further access to the interface. Exploiting this vulnerability requires an administrator-level backend user account.

Solution

Update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described.

Credits

Thanks to Hendrik Eichner who reported this issue and to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue.

References

Database specific 
{
    "nvd_published_at": "2024-10-28T14:15:04Z",
    "cwe_ids": [
        "CWE-1286",
        "CWE-248"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-08T22:18:27Z"
}
References

Affected packages

Packagist / typo3/cms-backend

Package

Name
typo3/cms-backend
Purl
pkg:composer/typo3/cms-backend

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13.0.0
Fixed
13.3.1

Affected versions

13.*

13.0.0

v13.*

v13.0.0
v13.0.1
v13.1.0
v13.1.1
v13.2.1
v13.3.0

Packagist / typo3/cms-backend

Package

Name
typo3/cms-backend
Purl
pkg:composer/typo3/cms-backend

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.0.0
Fixed
12.4.21

Affected versions

v12.*

v12.0.0
v12.1.0
v12.1.1
v12.1.2
v12.1.3
v12.2.0
v12.3.0
v12.4.0
v12.4.1
v12.4.2
v12.4.3
v12.4.4
v12.4.5
v12.4.6
v12.4.7
v12.4.8
v12.4.9
v12.4.10
v12.4.11
v12.4.12
v12.4.13
v12.4.14
v12.4.15
v12.4.16
v12.4.17
v12.4.18
v12.4.19
v12.4.20

Database specific 

{
    "last_known_affected_version_range": "< 12.4.20"
}

Packagist / typo3/cms-backend

Package

Name
typo3/cms-backend
Purl
pkg:composer/typo3/cms-backend

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.5.40

Affected versions

v11.*

v11.0.0
v11.1.0
v11.1.1
v11.2.0
v11.3.0
v11.3.1
v11.3.2
v11.3.3
v11.4.0
v11.5.0
v11.5.1
v11.5.2
v11.5.3
v11.5.4
v11.5.5
v11.5.6
v11.5.7
v11.5.8
v11.5.9
v11.5.10
v11.5.11
v11.5.12
v11.5.13
v11.5.14
v11.5.15
v11.5.16
v11.5.17
v11.5.18
v11.5.19
v11.5.20
v11.5.21
v11.5.22
v11.5.23
v11.5.24
v11.5.25
v11.5.26
v11.5.27
v11.5.28
v11.5.29
v11.5.30
v11.5.31
v11.5.32
v11.5.33
v11.5.34
v11.5.35
v11.5.36
v11.5.37
v11.5.38
v11.5.39

Database specific 

{
    "last_known_affected_version_range": "<= 11.5.39"
}

Packagist / typo3/cms-backend

Package

Name
typo3/cms-backend
Purl
pkg:composer/typo3/cms-backend

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.4.46

Affected versions

v10.*

v10.0.0
v10.1.0
v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9
v10.4.10
v10.4.11
v10.4.12
v10.4.13
v10.4.14
v10.4.15
v10.4.16
v10.4.17
v10.4.18
v10.4.19
v10.4.20
v10.4.21
v10.4.22
v10.4.23
v10.4.24
v10.4.25
v10.4.26
v10.4.27
v10.4.28
v10.4.29
v10.4.30
v10.4.31
v10.4.32
v10.4.33
v10.4.34
v10.4.36
v10.4.37

Database specific 

{
    "last_known_affected_version_range": "<= 10.4.45"
}