GHSA-gwfx-p7mr-f92v: Missing Access Check in TYPO3 CMS

June 5, 2024

Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on the action that an attacker is able to execute.

References

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2016-05-24-1.yaml
github.com/advisories/GHSA-gwfx-p7mr-f92v
web.archive.org/web/20160606110438/https://typo3.org/teamssecuritysecurity-bulletins/security-bulletins-single-view/article/missing-access-check-in-typo3-cms

Code Behaviors & Features

Detect and mitigate GHSA-gwfx-p7mr-f92v with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →