Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on the action that an attacker is able to execute.
{ "nvd_published_at": null, "cwe_ids": [], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-06-05T14:22:26Z" }