7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-45wj-jv2h-jwrf

EPSS Score

CWE

CWE-89

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-45wj-jv2h-jwrf

GHSA-45wj-jv2h-jwrf: TYPO3 CMS Privilege Escalation and SQL Injection

Failing to properly dissociate system related configuration from user generated configuration, the Form Framework (system extension "form") is vulnerable to SQL injection and Privilege Escalation. Basically instructions can be persisted to a form definition file that were not configured to be modified - this applies to definitions managed using the form editor module as well as direct file upload using the regular file list module. A valid backend user account as well as having system extension form activated are needed in order to exploit this vulnerability.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-45wj-jv2h-jwrf

EPSS Score

CWE

CWE-89

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms-core	composer	>= 8.5.0, < 8.7.17	8.7.17
typo3/cms-core	composer	>= 9.0.0, < 9.3.2	9.3.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two primary issues: improper input validation in the form editor and insecure file handling via FAL. The form editor's save/preview actions did not filter user-submitted form definitions against allowed properties (CWE-89), enabling SQL injection through malicious YAML configurations. Additionally, functions like moveFile and func_edit in FAL-related classes allowed direct manipulation of form definition files (.form.yaml) without proper authorization checks, leading to privilege escalation. The patches introduced validation() checks in the form editor and restricted FAL operations, confirming these functions were vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**ilin* to prop*rly *isso*i*t* syst*m r*l*t** *on*i*ur*tion *rom us*r **n*r*t** *on*i*ur*tion, t** *orm *r*m*work (syst*m *xt*nsion "*orm") is vuln*r**l* to SQL inj**tion *n* Privil*** *s**l*tion. **si**lly instru*tions **n ** p*rsist** to * *orm ***

Reasoning

T** vuln*r**ility st*ms *rom two prim*ry issu*s: improp*r input v*li**tion in t** *orm **itor *n* ins**ur* *il* **n*lin* vi* **L. T** *orm **itor's s*v*/pr*vi*w **tions *i* not *ilt*r us*r-su*mitt** *orm ***initions ***inst *llow** prop*rti*s (*W*-**

7.5

Basic Information

Concerned about an active attack path?

GHSA-45wj-jv2h-jwrf: TYPO3 CMS Privilege Escalation and SQL Injection

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI