OpenCVE

Extbase in TYPO3 4.3.0 before 6.2.24, 7.x before 7.6.8, and 8.1.1 allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase action.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Typo3	Typo3

Configuration 1 [-]

OR	cpe:2.3:a:typo3:typo3::::::::
	cpe:2.3:a:typo3:typo3:7.0.0:::::::*
	cpe:2.3:a:typo3:typo3:7.0.2:::::::*
	cpe:2.3:a:typo3:typo3:7.1.0:::::::*
	cpe:2.3:a:typo3:typo3:7.2.0:::::::*
	cpe:2.3:a:typo3:typo3:7.3.0:::::::*
	cpe:2.3:a:typo3:typo3:7.3.1:::::::*
	cpe:2.3:a:typo3:typo3:7.4.0:::::::*
	cpe:2.3:a:typo3:typo3:7.5.0:::::::*
	cpe:2.3:a:typo3:typo3:7.6.0:::::::*
	cpe:2.3:a:typo3:typo3:7.6.1:::::::*
	cpe:2.3:a:typo3:typo3:7.6.2:::::::*
	cpe:2.3:a:typo3:typo3:7.6.3:::::::*
	cpe:2.3:a:typo3:typo3:7.6.4:::::::*
	cpe:2.3:a:typo3:typo3:7.6.5:::::::*
	cpe:2.3:a:typo3:typo3:7.6.6:::::::*
	cpe:2.3:a:typo3:typo3:7.6.7:::::::*
	cpe:2.3:a:typo3:typo3:7.6.8:::::::*
	cpe:2.3:a:typo3:typo3:8.1.1:::::::*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2016/05/25/4
http://www.openwall.com/lists/oss-security/2016/05/26/2
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-01-23T21:00:00

Updated: 2024-08-06T00:53:47.379Z

Reserved: 2016-05-26T00:00:00

Link: CVE-2016-5091

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-01-23T21:59:01.610

Modified: 2024-11-21T02:53:36.410

Link: CVE-2016-5091

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-05-24T00:00:00", "descriptions": [{"lang": "en", "value": "Extbase in TYPO3 4.3.0 before 6.2.24, 7.x before 7.6.8, and 8.1.1 allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase action."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-01-24T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/"}, {"name": "[oss-security] 20160525 CVE-Request: TYPO3 Extbase Missing Access Check", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/05/25/4"}, {"name": "[oss-security] 20160526 Re: CVE-Request: TYPO3 Extbase Missing Access Check", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/05/26/2"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-5091", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Extbase in TYPO3 4.3.0 before 6.2.24, 7.x before 7.6.8, and 8.1.1 allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase action."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/", "refsource": "CONFIRM", "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/"}, {"name": "[oss-security] 20160525 CVE-Request: TYPO3 Extbase Missing Access Check", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/05/25/4"}, {"name": "[oss-security] 20160526 Re: CVE-Request: TYPO3 Extbase Missing Access Check", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/05/26/2"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T00:53:47.379Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/"}, {"name": "[oss-security] 20160525 CVE-Request: TYPO3 Extbase Missing Access Check", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/05/25/4"}, {"name": "[oss-security] 20160526 Re: CVE-Request: TYPO3 Extbase Missing Access Check", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/05/26/2"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-5091", "datePublished": "2017-01-23T21:00:00", "dateReserved": "2016-05-26T00:00:00", "dateUpdated": "2024-08-06T00:53:47.379Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "matchCriteriaId": "53F9573C-DEFC-4428-A9F4-5D3BB41E27A3", "versionEndIncluding": "6.2.23", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "DC254112-3695-422E-BD5B-B5E65F61B4B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "58A72CC1-1BCE-415C-9816-AD34C14E36FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "237EEDFE-DFB0-4D6E-BAA6-7A374A384CF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "26264C04-D8E1-4780-97C3-13F287ECF11A", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "3B89766D-2E3C-4CE9-92ED-8E5A8FF71D31", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "3392C868-FFD8-4B00-ADD2-02CCCAEC5EC2", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "B5F859F4-E3EE-4C2D-A618-6E49769A1610", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "1A7F660D-7C1E-43AA-B185-40309788F329", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "4C022973-D06B-4CEF-87BF-3C016AAD4770", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "36A63F3A-DC95-49FF-B6AC-FD98F8499905", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "D8E276D9-4C36-4630-BC44-5D49398E4452", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "BBF317B6-656C-4C2C-81F8-4864EE3F4D17", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "D691A7EF-EE47-44EC-A073-04C3C0A432E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.6.5:*:*:*:*:*:*:*", "matchCriteriaId": "83E140F9-73E8-4EF7-BFDA-F56584D7FCFA", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.6.6:*:*:*:*:*:*:*", "matchCriteriaId": "8E576B25-E43B-4C21-B1E5-EF937714ABC8", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.6.7:*:*:*:*:*:*:*", "matchCriteriaId": "BCAB79AD-5991-4FCD-99C4-E742845BF086", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:7.6.8:*:*:*:*:*:*:*", "matchCriteriaId": "19E5EBD4-51A0-4948-BF52-442766C32B05", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:8.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "B12C85B0-522C-4526-99EE-8EEFD1830281", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Extbase in TYPO3 4.3.0 before 6.2.24, 7.x before 7.6.8, and 8.1.1 allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase action."}, {"lang": "es", "value": "Extbase en TYPO3 4.3.0 en versiones anteriores a 6.2.24, 7.x en versiones anteriores a 7.6.8 y 8.1.1 permite a atacantes remotos obtener informaci\u00f3n sensible o posiblemente ejecutar c\u00f3digo arbitrario a trav\u00e9s una acci\u00f3n Extbase manipulada."}], "id": "CVE-2016-5091", "lastModified": "2024-11-21T02:53:36.410", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-01-23T21:59:01.610", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/05/25/4"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/05/26/2"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/05/25/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/05/26/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-254"}], "source": "nvd@nist.gov", "type": "Primary"}]}