Miggo Logo
Miggo Vulnerability Database
CVE-2016-5091

CVE-2016-5091: Extbase for TYPO3 allows RCE

8.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-5091
GHSA ID
GHSA-jxg5-35fj-ccwf
EPSS Score
0.84789%
CWE
-
Published
5/17/2022
Updated
7/31/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-extbasecomposer< 6.2.246.2.24
typo3/cms-extbasecomposer>= 7.0, < 7.6.87.6.8
typo3/cms-extbasecomposer= 8.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing access checks in Extbase's request handling pipeline. The Dispatcher class is central to routing requests to controller actions. The security bulletin explicitly states the lack of access checks for controller/action combinations, which aligns with the responsibility of the Dispatcher::dispatch method. The medium confidence for ActionController::processRequest reflects its role in action execution, though the primary flaw resides in the dispatcher's access control gap. The patches in versions 6.2.24/7.6.8 likely added access checks in these critical paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*xt**s* in TYPO* *.*.* ***or* *.*.**, *.x ***or* *.*.*, *n* *.*.* *llows r*mot* *tt**k*rs to o*t*in s*nsitiv* in*orm*tion or possi*ly *x**ut* *r*itr*ry *o** vi* * *r**t** *xt**s* **tion.

Reasoning

T** vuln*r**ility st*ms *rom missin* ****ss ****ks in *xt**s*'s r*qu*st **n*lin* pip*lin*. T** *isp*t***r *l*ss is **ntr*l to routin* r*qu*sts to *ontroll*r **tions. T** s**urity *ull*tin *xpli*itly st*t*s t** l**k o* ****ss ****ks *or *ontroll*r/**t