FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

typo3 -- Missing access check in Extbase

Affected packages
typo3 < 7.6.8
typo3-lts < 6.2.24


VuXML ID 3caf4e6c-4cef-11e6-a15f-00248c0c745d
Discovery 2016-05-24
Entry 2016-07-18

TYPO3 reports:

Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on the action that an attacker is able to execute.


CVE Name CVE-2016-5091