Miggo Logo
Miggo Vulnerability Database
CVE-2020-15513

CVE-2020-15513: Incorrect access control in typo3_forum

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-15513
GHSA ID
GHSA-57gr-jvqr-3hwm
EPSS Score
0.42313%
CWE
CWE-863
Published
7/29/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
mittwald/typo3_forumcomposer< 1.2.11.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers around broken access control in post creation. In TYPO3 MVC architecture, controller actions handle specific operations. The security advisory specifically mentions that 'anonymous users to create forum posts although this feature is disabled', which directly implicates the post creation endpoint. The most likely location for this missing authorization check would be in the PostController's createAction method, which would handle the post creation workflow. Without seeing the actual patch code, we base this on 1) the vulnerability description matching controller action functionality, and 2) standard TYPO3 extension patterns where access checks are implemented in controller actions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** typo*_*orum *xt*nsion ***or* *.*.* *or TYPO* **s In*orr**t ****ss *ontrol.

Reasoning

T** vuln*r**ility **nt*rs *roun* *rok*n ****ss *ontrol in post *r**tion. In TYPO* MV* *r**it**tur*, *ontroll*r **tions **n*l* sp**i*i* op*r*tions. T** s**urity **visory sp**i*i**lly m*ntions t**t '*nonymous us*rs to *r**t* *orum posts *lt*ou** t*is *