Miggo Logo

CVE-2020-15098: Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.8443%
Published
7/29/2020
Updated
2/5/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-corecomposer>= 9.0.0, < 9.5.209.5.20
typo3/cms-corecomposer>= 10.0.0, < 10.4.610.4.6
typo3/cmscomposer>= 10.0.0, < 10.4.610.4.6
typo3/cmscomposer>= 9.0.0, < 9.5.209.5.20

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing context-specific keys in HMAC-SHA1 generation, as shown in the commit diff. The patch added a mandatory second parameter ('backend-link-browser') to GeneralUtility::hmac() calls to scope the cryptographic hashes. The pre-patch HMAC implementations without this parameter allowed attackers to generate valid HMACs for malicious payloads by exploiting the missing cryptographic step (CWE-325). This directly enabled the documented attack chains (privilege escalation, deserialization RCE) via forged HMAC validation. The files/functions modified in the security patch are the unambiguous source of the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

> ### M*t* > * *VSS: `*VSS:*.*/*V:N/**:L/PR:L/UI:N/S:U/*:*/I:*/*:*/*:*/RL:O/R*:*` (*.*) > * *W*-***, *W*-**, *W*-***, *W*-*** ### Pro*l*m It **s ***n *is*ov*r** t**t *n int*rn*l v*ri*i**tion m****nism **n ** us** to **n*r*t* *r*itr*ry ****ksums. T*i

Reasoning

T** vuln*r**ility st*mm** *rom missin* *ont*xt-sp**i*i* k*ys in `*M**-S***` **n*r*tion, *s s*own in t** *ommit *i**. T** p*t** ***** * m*n**tory s**on* p*r*m*t*r ('***k*n*-link-*rows*r') to `**n*r*lUtility::*m**()` **lls to s*op* t** *rypto*r*p*i* **