8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15098

GHSA ID

GHSA-m5vr-3m74-jwxp

EPSS Score

0.8443%

CWE

CWE-20

Published

7/29/2020

Updated

2/5/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-15098

CVE-2020-15098: Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS

Meta

CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (8.2)

CWE-325, CWE-20, CWE-200, CWE-502

Problem

It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains as described below.

TYPO3-CORE-SA-2020-007, CVE-2020-15099: Potential Privilege Escalation
- the database server used for a TYPO3 installation must be accessible for an attacker (either via internet or shared hosting network)
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (7.5, high)
TYPO3-CORE-SA-2016-013, CVE-2016-5091: Insecure Deserialization & Remote Code Execution
- an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (9.1, critical)

The overall severity of this vulnerability is high (8.2) based on mentioned attack chains and the requirement of having a valid backend user session (authenticated).

Solution

Update to TYPO3 versions 9.5.20 or 10.4.6 that fix the problem described.

Credits

Thanks to TYPO3 security team member Oliver Hader who reported and fixed the issue.

References

TYPO3-CORE-SA-2020-008

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15098

GHSA ID

GHSA-m5vr-3m74-jwxp

EPSS Score

0.8443%

CWE

CWE-20

Published

7/29/2020

Updated

2/5/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms-core	composer	>= 9.0.0, < 9.5.20	9.5.20
typo3/cms-core	composer	>= 10.0.0, < 10.4.6	10.4.6
typo3/cms	composer	>= 10.0.0, < 10.4.6	10.4.6
typo3/cms	composer	>= 9.0.0, < 9.5.20	9.5.20

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from missing context-specific keys in HMAC-SHA1 generation, as shown in the commit diff. The patch added a mandatory second parameter ('backend-link-browser') to GeneralUtility::hmac() calls to scope the cryptographic hashes. The pre-patch HMAC implementations without this parameter allowed attackers to generate valid HMACs for malicious payloads by exploiting the missing cryptographic step (CWE-325). This directly enabled the documented attack chains (privilege escalation, deserialization RCE) via forged HMAC validation. The files/functions modified in the security patch are the unambiguous source of the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

> ### M*t* > * *VSS: `*VSS:*.*/*V:N/**:L/PR:L/UI:N/S:U/*:*/I:*/*:*/*:*/RL:O/R*:*` (*.*) > * *W*-***, *W*-**, *W*-***, *W*-*** ### Pro*l*m It **s ***n *is*ov*r** t**t *n int*rn*l v*ri*i**tion m****nism **n ** us** to **n*r*t* *r*itr*ry ****ksums. T*i

Reasoning

T** vuln*r**ility st*mm** *rom missin* *ont*xt-sp**i*i* k*ys in `*M**-S***` **n*r*tion, *s s*own in t** *ommit *i**. T** p*t** ***** * m*n**tory s**on* p*r*m*t*r ('***k*n*-link-*rows*r') to `**n*r*lUtility::*m**()` **lls to s*op* t** *rypto*r*p*i* **

8.8

Basic Information

Concerned about an active attack path?

CVE-2020-15098: Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS

Meta

Problem

Solution

Credits

References

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI