Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-94r9-hh4g-jkej
Summary
TYPO3 CMS Possible Insecure Deserialization in Extbase Request Handling
It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized.

However, since sensitive information could have been leaked by accident (e.g. in repositories or in commonly known and unprotected backup files), there is the possibility that attackers know the private encryptionKey and are able to calculate the required HMAC-SHA1 to allow a malicious payload to be deserialized.

Requirements for successfully exploiting this vulnerability (all of the following):

- rendering at least one Extbase plugin in the frontend
- encryptionKey has been leaked (from LocalConfiguration.php or corresponding .env file)
Aliases
0
alias GHSA-hh95-5xm5-v8v7
Fixed_packages
0
url pkg:composer/typo3/cms@8.7.30
purl pkg:composer/typo3/cms@8.7.30
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ffs-9vj5-27hk
1
vulnerability VCID-848u-w88s-5bbe
2
vulnerability VCID-ev4k-5k1d-2bhu
3
vulnerability VCID-fqkx-v8t5-q3h6
4
vulnerability VCID-jp1p-rfxa-hyd9
5
vulnerability VCID-tgyt-axv1-c7ag
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.7.30
1
url pkg:composer/typo3/cms@9.5.12
purl pkg:composer/typo3/cms@9.5.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ffs-9vj5-27hk
1
vulnerability VCID-1sfk-z8py-ykb8
2
vulnerability VCID-4an7-9ph4-mkd4
3
vulnerability VCID-6mnf-2fcw-dqgp
4
vulnerability VCID-848u-w88s-5bbe
5
vulnerability VCID-8w4e-d49b-nbg8
6
vulnerability VCID-bbh5-rss8-bfct
7
vulnerability VCID-bcbd-zzet-mff6
8
vulnerability VCID-e6zr-4bgg-kkh5
9
vulnerability VCID-ev4k-5k1d-2bhu
10
vulnerability VCID-fqkx-v8t5-q3h6
11
vulnerability VCID-jp1p-rfxa-hyd9
12
vulnerability VCID-n1gz-y615-cbbk
13
vulnerability VCID-tgyt-axv1-c7ag
14
vulnerability VCID-zkvq-bms4-gfcv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.5.12
Affected_packages
0
url pkg:composer/typo3/cms@8.0.0
purl pkg:composer/typo3/cms@8.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11sw-6x9k-vued
1
vulnerability VCID-11u3-8xzy-jfhh
2
vulnerability VCID-1ffs-9vj5-27hk
3
vulnerability VCID-28fn-ncj5-2ufk
4
vulnerability VCID-2r7u-mc45-8yhe
5
vulnerability VCID-2rhr-8vaz-hqfj
6
vulnerability VCID-2rmv-a83x-9ka8
7
vulnerability VCID-2vpx-fqb6-aqfa
8
vulnerability VCID-39jx-muqb-nkfq
9
vulnerability VCID-39vn-73mc-jqav
10
vulnerability VCID-3ugj-6m1e-e3hr
11
vulnerability VCID-4eym-e6vt-8fbs
12
vulnerability VCID-4wnp-gusy-43b8
13
vulnerability VCID-5dxs-cdht-27hw
14
vulnerability VCID-5k47-9k7t-rqak
15
vulnerability VCID-5u2f-5zzf-j3e4
16
vulnerability VCID-66kh-c1dm-8fbf
17
vulnerability VCID-66ru-n2df-b3ay
18
vulnerability VCID-6su8-bbrw-hbhp
19
vulnerability VCID-727q-h3ey-6yc9
20
vulnerability VCID-7ch1-q9f4-a7bt
21
vulnerability VCID-7m6u-k5tp-gkhy
22
vulnerability VCID-848u-w88s-5bbe
23
vulnerability VCID-8p64-6zpt-t3av
24
vulnerability VCID-94r9-hh4g-jkej
25
vulnerability VCID-953t-q1cr-zyd6
26
vulnerability VCID-9726-hafj-wkay
27
vulnerability VCID-9saf-w56y-pugz
28
vulnerability VCID-9yu1-z7c2-t3fj
29
vulnerability VCID-abjx-8v46-d7d8
30
vulnerability VCID-am6s-67bm-77dr
31
vulnerability VCID-bn3p-39sv-6fdg
32
vulnerability VCID-bq2j-t19h-zyad
33
vulnerability VCID-bstt-ybrs-5ua3
34
vulnerability VCID-buj5-2t53-3kcr
35
vulnerability VCID-d6c2-upx1-e7cd
36
vulnerability VCID-dsqm-9q3e-dudw
37
vulnerability VCID-e564-zdku-9fc6
38
vulnerability VCID-emqq-kwjg-3kfk
39
vulnerability VCID-eutz-mj58-audb
40
vulnerability VCID-ev4k-5k1d-2bhu
41
vulnerability VCID-f319-jpf5-hyex
42
vulnerability VCID-fdnw-2tz5-4fdr
43
vulnerability VCID-fgqa-5fx9-nkaz
44
vulnerability VCID-fh61-7rfy-s3hg
45
vulnerability VCID-fqkc-utex-3kav
46
vulnerability VCID-fqkx-v8t5-q3h6
47
vulnerability VCID-fut7-bb1f-37g7
48
vulnerability VCID-g7mm-vjbw-bbhd
49
vulnerability VCID-gk79-jtuz-myh6
50
vulnerability VCID-gpv4-4tpd-tbaa
51
vulnerability VCID-h217-xe8x-nua3
52
vulnerability VCID-h7cg-64er-uya9
53
vulnerability VCID-h7hf-sf2q-73ay
54
vulnerability VCID-hp99-ncuh-6ugv
55
vulnerability VCID-hsw8-nbs6-auaa
56
vulnerability VCID-hyx9-8ae6-sba8
57
vulnerability VCID-hzma-cduk-3uhp
58
vulnerability VCID-j8hk-bqnb-gycp
59
vulnerability VCID-j8sh-5evd-dkaz
60
vulnerability VCID-jeqr-9tfu-f7b2
61
vulnerability VCID-jf28-91be-6kbr
62
vulnerability VCID-jmea-qzsr-wkf4
63
vulnerability VCID-jn38-wfec-7bb2
64
vulnerability VCID-jp1p-rfxa-hyd9
65
vulnerability VCID-jq5y-7h9g-mufa
66
vulnerability VCID-jqe4-8hzb-mfea
67
vulnerability VCID-jwb1-3sbg-kfa5
68
vulnerability VCID-k5t3-28es-h3ez
69
vulnerability VCID-khpm-e1xb-hydb
70
vulnerability VCID-ks1q-a8x2-uqht
71
vulnerability VCID-m3nc-xbb4-yubr
72
vulnerability VCID-mctp-nf36-7qdn
73
vulnerability VCID-nhjv-nke2-2kf8
74
vulnerability VCID-njsj-bwjq-fyap
75
vulnerability VCID-nney-azbc-pucg
76
vulnerability VCID-nvbp-pbjw-3qgx
77
vulnerability VCID-p576-w7dd-p3h7
78
vulnerability VCID-p7gd-anw2-1qbz
79
vulnerability VCID-pmvp-twk2-jqe4
80
vulnerability VCID-q2ym-y2rz-1bdn
81
vulnerability VCID-q52p-xfj8-gygd
82
vulnerability VCID-q7vt-19eb-sqeq
83
vulnerability VCID-qcnh-z4zh-myaw
84
vulnerability VCID-qdxh-arxx-wbcr
85
vulnerability VCID-qxab-9uwr-yqhv
86
vulnerability VCID-rqrw-t2kj-mud8
87
vulnerability VCID-ru6w-m6q6-27gn
88
vulnerability VCID-sdjb-gp4t-vbgt
89
vulnerability VCID-sdsa-mh76-kqch
90
vulnerability VCID-sdz8-hju8-4bcb
91
vulnerability VCID-sy7r-d6pv-yba9
92
vulnerability VCID-teby-zvvw-zkhv
93
vulnerability VCID-tzpj-j3x1-ekgk
94
vulnerability VCID-u259-2sxq-tbct
95
vulnerability VCID-u4tq-8qnk-5fd7
96
vulnerability VCID-u5he-6tqb-gqaf
97
vulnerability VCID-u6as-cwxc-pkhk
98
vulnerability VCID-uq77-aax5-k7d8
99
vulnerability VCID-vq15-t92r-5bhx
100
vulnerability VCID-vw2r-g8yy-eyf4
101
vulnerability VCID-w483-prq4-rycx
102
vulnerability VCID-w58p-3wg1-7ycr
103
vulnerability VCID-wat8-4m83-hken
104
vulnerability VCID-wy45-2gmr-fkfg
105
vulnerability VCID-x175-xjek-97ds
106
vulnerability VCID-x5x1-w7yv-eye9
107
vulnerability VCID-xh68-defe-f7ce
108
vulnerability VCID-xpxg-qq49-b7fd
109
vulnerability VCID-xvyu-2hb8-8ufh
110
vulnerability VCID-xw1s-93bu-wuh9
111
vulnerability VCID-y7ds-p5r2-yuhq
112
vulnerability VCID-ygw4-jdqu-4fbt
113
vulnerability VCID-yh6b-tc4u-v3bk
114
vulnerability VCID-yn6z-9v7k-x7br
115
vulnerability VCID-yz6t-ge1y-qfgr
116
vulnerability VCID-zgfw-pk39-gyg8
117
vulnerability VCID-zmwv-gwq3-fkej
118
vulnerability VCID-zrz3-3dnf-tbay
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@8.0.0
1
url pkg:composer/typo3/cms@9.0.0
purl pkg:composer/typo3/cms@9.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11sw-6x9k-vued
1
vulnerability VCID-11u3-8xzy-jfhh
2
vulnerability VCID-1ffs-9vj5-27hk
3
vulnerability VCID-1sfk-z8py-ykb8
4
vulnerability VCID-28fn-ncj5-2ufk
5
vulnerability VCID-2rhr-8vaz-hqfj
6
vulnerability VCID-2rmv-a83x-9ka8
7
vulnerability VCID-39vn-73mc-jqav
8
vulnerability VCID-3k2k-a3gb-n3ba
9
vulnerability VCID-3ugj-6m1e-e3hr
10
vulnerability VCID-3ye6-vqje-abh4
11
vulnerability VCID-4an7-9ph4-mkd4
12
vulnerability VCID-4eym-e6vt-8fbs
13
vulnerability VCID-4jck-w9ct-budk
14
vulnerability VCID-5k47-9k7t-rqak
15
vulnerability VCID-66kh-c1dm-8fbf
16
vulnerability VCID-6mnf-2fcw-dqgp
17
vulnerability VCID-7ch1-q9f4-a7bt
18
vulnerability VCID-7m6u-k5tp-gkhy
19
vulnerability VCID-7xv1-78u7-xufp
20
vulnerability VCID-848u-w88s-5bbe
21
vulnerability VCID-8w4e-d49b-nbg8
22
vulnerability VCID-94r9-hh4g-jkej
23
vulnerability VCID-953t-q1cr-zyd6
24
vulnerability VCID-9adx-p876-kyb5
25
vulnerability VCID-9yu1-z7c2-t3fj
26
vulnerability VCID-a1g9-pyz5-9fca
27
vulnerability VCID-abjx-8v46-d7d8
28
vulnerability VCID-am6s-67bm-77dr
29
vulnerability VCID-bbh5-rss8-bfct
30
vulnerability VCID-buj5-2t53-3kcr
31
vulnerability VCID-cvk2-93hm-gkhx
32
vulnerability VCID-dsqm-9q3e-dudw
33
vulnerability VCID-e6zr-4bgg-kkh5
34
vulnerability VCID-emqq-kwjg-3kfk
35
vulnerability VCID-ev4k-5k1d-2bhu
36
vulnerability VCID-f319-jpf5-hyex
37
vulnerability VCID-f4n7-q72x-3yea
38
vulnerability VCID-fpa2-ffg1-fyaa
39
vulnerability VCID-fqkc-utex-3kav
40
vulnerability VCID-fqkx-v8t5-q3h6
41
vulnerability VCID-fut7-bb1f-37g7
42
vulnerability VCID-gpv4-4tpd-tbaa
43
vulnerability VCID-hknp-f88a-kqec
44
vulnerability VCID-hp99-ncuh-6ugv
45
vulnerability VCID-hsw8-nbs6-auaa
46
vulnerability VCID-j8hk-bqnb-gycp
47
vulnerability VCID-je4q-svfw-hqda
48
vulnerability VCID-jp1p-rfxa-hyd9
49
vulnerability VCID-jq5y-7h9g-mufa
50
vulnerability VCID-jwb1-3sbg-kfa5
51
vulnerability VCID-k5t3-28es-h3ez
52
vulnerability VCID-khpm-e1xb-hydb
53
vulnerability VCID-n1gz-y615-cbbk
54
vulnerability VCID-njsj-bwjq-fyap
55
vulnerability VCID-nney-azbc-pucg
56
vulnerability VCID-p576-w7dd-p3h7
57
vulnerability VCID-p7gd-anw2-1qbz
58
vulnerability VCID-pmvp-twk2-jqe4
59
vulnerability VCID-q2t1-kx56-s3c3
60
vulnerability VCID-q7vt-19eb-sqeq
61
vulnerability VCID-qcnh-z4zh-myaw
62
vulnerability VCID-qdxh-arxx-wbcr
63
vulnerability VCID-qv14-m93d-jyd9
64
vulnerability VCID-qxab-9uwr-yqhv
65
vulnerability VCID-rqrw-t2kj-mud8
66
vulnerability VCID-ru6w-m6q6-27gn
67
vulnerability VCID-sdjb-gp4t-vbgt
68
vulnerability VCID-sdsa-mh76-kqch
69
vulnerability VCID-teby-zvvw-zkhv
70
vulnerability VCID-tgyt-axv1-c7ag
71
vulnerability VCID-tzpj-j3x1-ekgk
72
vulnerability VCID-u259-2sxq-tbct
73
vulnerability VCID-u6as-cwxc-pkhk
74
vulnerability VCID-un7r-8sah-33cr
75
vulnerability VCID-uq77-aax5-k7d8
76
vulnerability VCID-vq15-t92r-5bhx
77
vulnerability VCID-vw2r-g8yy-eyf4
78
vulnerability VCID-w1wb-mq2y-dfca
79
vulnerability VCID-w7z1-aw31-vugx
80
vulnerability VCID-wat8-4m83-hken
81
vulnerability VCID-x5x1-w7yv-eye9
82
vulnerability VCID-xvyu-2hb8-8ufh
83
vulnerability VCID-xw1s-93bu-wuh9
84
vulnerability VCID-y7ds-p5r2-yuhq
85
vulnerability VCID-yh6b-tc4u-v3bk
86
vulnerability VCID-yz6t-ge1y-qfgr
87
vulnerability VCID-zeut-9wfp-q7et
88
vulnerability VCID-zgfw-pk39-gyg8
89
vulnerability VCID-zkvq-bms4-gfcv
90
vulnerability VCID-zmwv-gwq3-fkej
91
vulnerability VCID-zybp-mb3d-jyee
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms@9.0.0
References
0
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-12-17-7.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-12-17-7.yaml
1
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
2
reference_url https://github.com/TYPO3/typo3/commit/57e4ed35a6e58521a931855e702b2688b3bc3d62
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/57e4ed35a6e58521a931855e702b2688b3bc3d62
3
reference_url https://github.com/TYPO3/typo3/commit/b1626ad8fd4aebedc15e424a76f86094d78b2564
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/b1626ad8fd4aebedc15e424a76f86094d78b2564
4
reference_url https://typo3.org/security/advisory/typo3-psa-2019-011
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-psa-2019-011
5
reference_url https://github.com/advisories/GHSA-hh95-5xm5-v8v7
reference_id GHSA-hh95-5xm5-v8v7
reference_type
scores
url https://github.com/advisories/GHSA-hh95-5xm5-v8v7
Weaknesses
0
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
1
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score7.0 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-94r9-hh4g-jkej