CVE-2020-26229— TYPO3 代码问题漏洞

XML External Entity in Dashboard Widget

TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. Update to TYPO3 version 10.4.10 to fix the problem described.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L

XML外部实体引用的不恰当限制(XXE)

TYPO3 代码问题漏洞

TYPO3是瑞士TYPO3（Typo3）协会的一套免费开源的内容管理系统(框架)(CMS/CMF)。 TYPO3 存在代码问题漏洞，该漏洞源于对RSS小部件中用户提供的XML输入的验证不足，远程用户可以向受影响的应用程序传递专门编写的XML代码，查看系统上任意文件的内容，或者向外部系统发起请求。成功利用该漏洞可以允许攻击者查看服务器上任意文件的内容，或对内部和外部基础设施执行网络扫描。

N/A

N/A