CVE-2016-5091: Extbase for TYPO3 allows RCE
8.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.84789%
CWE
-
Published
5/17/2022
Updated
7/31/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
typo3/cms-extbase | composer | < 6.2.24 | 6.2.24 |
typo3/cms-extbase | composer | >= 7.0, < 7.6.8 | 7.6.8 |
typo3/cms-extbase | composer | = 8.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing access checks in Extbase's request handling pipeline. The Dispatcher class is central to routing requests to controller actions. The security bulletin explicitly states the lack of access checks for controller/action combinations, which aligns with the responsibility of the Dispatcher::dispatch
method. The medium confidence for ActionController::processRequest
reflects its role in action execution, though the primary flaw resides in the dispatcher's access control gap. The patches in versions 6.2.24
/7.6.8
likely added access checks in these critical paths.