typo3 mediace CVE-2020-15086 is a vulnerability in TYPO3 Mediace
Published on July 29, 2020

Potential Remote Code Execution in TYPO3 with mediace extension
In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message authentication code and can lead to remote code execution. To successfully exploit this vulnerability, an attacker must have access to at least one `Extbase` plugin or module action in a TYPO3 installation. This is fixed in version 7.6.5 of the "mediace" extension for TYPO3.

Github Repository NVD

Vulnerability Analysis

CVE-2020-15086 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Missing Cryptographic Step

The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2020-15086 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2020-15086 has been classified to as an Information Disclosure vulnerability or weakness.


Products Associated with CVE-2020-15086

Want to know whenever a new CVE is published for TYPO3 Mediace? stack.watch will email you.

TYPO3 Mediace
 

Affected Versions

FriendsOfTYPO3 mediace Version >= 7.6.2, < 7.6.5 is affected by CVE-2020-15086

Vulnerable Packages

The following package name and versions may be associated with CVE-2020-15086

Package Manager Vulnerable Package Versions Fixed In
composer friendsoftypo3/mediace >= 7.6.2, < 7.6.5 7.6.5

Exploit Probability

EPSS
3.68%
Percentile
87.88%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.