CVE-2020-26229

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-26229
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26229.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-26229
Aliases
Withdrawn
2024-05-08T06:51:21.410326Z
Published
2020-11-23T22:15:12Z
Modified
2023-12-06T00:45:26.582163Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L CVSS Calculator
Summary
[none]
Details

TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. Update to TYPO3 version 10.4.10 to fix the problem described.

References

Affected packages

Git / github.com/benjaminkott/bootstrap_package

Affected ranges

Type
GIT
Repo
https://github.com/benjaminkott/bootstrap_package
Events
Type
GIT
Repo
https://github.com/typo3/typo3
Events
Type
GIT
Repo
https://github.com/typo3/typo3.cms
Events

Affected versions

10.*

10.0.0
10.0.1
10.0.10
10.0.11
10.0.2
10.0.3
10.0.4
10.0.5
10.0.6
10.0.7
10.0.8
10.0.9

11.*

11.0.0
11.0.1
11.0.2
11.0.3
11.0.4

12.*

12.0.0
12.0.1
12.0.10
12.0.2
12.0.3
12.0.4
12.0.5
12.0.6
12.0.7
12.0.8
12.0.9

13.*

13.0.0
13.0.1
13.0.2
13.0.3
13.0.4
13.0.5

14.*

14.0.0
14.0.1
14.0.2
14.0.3
14.0.4
14.0.5
14.0.6
14.0.7

v10.*

v10.0.0
v10.1.0
v10.2.0
v10.3.0
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9