Missing Access Check in TYPO3 CMS

Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on the action that an attacker is able to execute.

Published: Jun 5, 2024
Updated: Jun 27, 2024
GHSA: GHSA-gwfx-p7mr-f92v
Severity: Critical
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
typo3 / cms	6.2.0	6.2.25
typo3 / cms	7.6.0	7.6.8
typo3 / cms	8.0.0	8.1.1

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2016-05-24-1.yaml
https://web.archive.org/web/20160606110438/https://typo3.org/teamssecuritysecurity-bulletins/security-bulletins-single-view/article/missing-access-check-in-typo3-cms

Vulnerability Database

Missing Access Check in TYPO3 CMS