GHSA-q9cp-mc96-m4w2

Suggest an improvement
Source
https://github.com/advisories/GHSA-q9cp-mc96-m4w2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-q9cp-mc96-m4w2/GHSA-q9cp-mc96-m4w2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-q9cp-mc96-m4w2
Aliases
Published
2020-11-23T21:18:44Z
Modified
2024-02-05T11:30:45.392062Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L CVSS Calculator
Summary
XML External Entity in Dashboard Widget
Details

Problem

It has been discovered that RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions.

At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed.

Solution

Update to TYPO3 version 10.4.10 that fixes the problem described.

Database specific
{
    "nvd_published_at": "2020-11-23T22:15:12Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2020-11-23T21:16:32Z"
}
References

Affected packages

Packagist / typo3/cms-core

Package

Name
typo3/cms-core
Purl
pkg:composer/typo3/cms-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.4.10

Affected versions

v10.*

v10.0.0
v10.1.0
v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9

Packagist / typo3/cms

Package

Name
typo3/cms
Purl
pkg:composer/typo3/cms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.4.10

Affected versions

v10.*

v10.0.0
v10.1.0
v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9