XML External Entity in Dashboard Widget

Description

Problem

It has been discovered that RSS widgets are susceptible to XML external entity processing.
This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions.

At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed.

Solution

Update to TYPO3 version 10.4.10 that fixes the problem described.

Basic information

Type
reviewed
Severity
low
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Not specified
Published (advisory)
2020-11-23 21:18:44 UTC
Updated
2024-02-15 05:06:49 UTC
GitHub reviewed
2020-11-23 21:16:32 UTC
NVD published
2020-11-23

EPSS Score

Score Percentile
0.27% 50.52%

CVSS Scores

Base score Version Severity Vector
3.7 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.

Identifiers

CWEs

CWE id Name
CWE-611 Improper Restriction of XML External Entity Reference

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer typo3/cms-core >= 10.0.0, < 10.4.10 10.4.10
composer typo3/cms >= 10.0.0, < 10.4.10 10.4.10

References

cvelogic Threat Intelligence