diff options
author | Torsten Zuehlsdorff <tz@FreeBSD.org> | 2016-07-19 12:55:43 +0000 |
---|---|---|
committer | Torsten Zuehlsdorff <tz@FreeBSD.org> | 2016-07-19 12:55:43 +0000 |
commit | e9db627b0d8e370b9534ec3743c54099f50bc654 (patch) | |
tree | 68197f8077d6500b4a5868a225c475a233dc0cbb /security | |
parent | multimedia/emby-server: Update to 3.0.5986 (diff) |
www/typo3 and www/typo3-lts: Document missing access check in Extbase
PR: 210870, 210871
Security: CVE-2016-5091
Security: https://vuxml.freebsd.org/freebsd/3caf4e6c-4cef-11e6-a15f-00248c0c745d.html
Approved by: junovitch (mentor)
Notes
Notes:
svn path=/head/; revision=418774
Diffstat (limited to 'security')
-rw-r--r-- | security/vuxml/vuln.xml | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index e0c1fa86809f..0161706e8d4c 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,44 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="3caf4e6c-4cef-11e6-a15f-00248c0c745d"> + <topic>typo3 -- Missing access check in Extbase</topic> + <affects> + <package> + <name>typo3</name> + <range><lt>7.6.8</lt></range> + </package> + <package> + <name>typo3-lts</name> + <range><lt>6.2.24</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>TYPO3 reports:</p> + <blockquote cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/"> + <p>Extbase request handling fails to implement a proper access check for + requested controller/ action combinations, which makes it possible for an + attacker to execute arbitrary Extbase actions by crafting a special request. To + successfully exploit this vulnerability, an attacker must have access to at + least one Extbase plugin or module action in a TYPO3 installation. The missing + access check inevitably leads to information disclosure or remote code + execution, depending on the action that an attacker is able to execute.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-5091</cvename> + <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/</url> + <url>https://wiki.typo3.org/TYPO3_CMS_7.6.8</url> + <url>https://wiki.typo3.org/TYPO3_CMS_6.2.24</url> + </references> + <dates> + <discovery>2016-05-24</discovery> + <entry>2016-07-18</entry> + </dates> + </vuln> + <vuln vid="cf0b5668-4d1b-11e6-b2ec-b499baebfeaf"> <topic>Multiple ports -- Proxy HTTP header vulnerability (httpoxy)</topic> <affects> |