CVE-2020-26228
Last modified
CVE-2020-26228 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. EPSS estimates a 0.67% chance of exploitation in the next 30 days.
Description
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Typo3 | Typo3 | >= 9.0.0, < 9.5.23 |
| Typo3 | Typo3 | >= 10.0.0, < 10.4.10 |
References
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-954j-f27r-cj52Third Party Advisory
- https://typo3.org/security/advisory/typo3-core-sa-2020-011Vendor Advisory
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-954j-f27r-cj52Third Party Advisory
- https://typo3.org/security/advisory/typo3-core-sa-2020-011Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-26228?
How severe is CVE-2020-26228?
How do I fix CVE-2020-26228?
Are you affected by CVE-2020-26228?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST