VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-2mn6-mdmz-4yd9

Essentials
Severities (21)
References (7)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-2mn6-mdmz-4yd9
Aliases	CVE-2020-11069 GHSA-pqg8-crx9-g8m4
Summary	Backend Same-Site Request Forgery in TYPO3 CMS > ### Meta > * CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C > * CWE-352 > * CWE-346 ### Problem It has been discovered that backend user interface and install tool are vulnerable to same-origin request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server - scripts are then executed with the privileges of the victims' user session. In a worst case scenario new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it’s actually a same-origin request forgery. Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a 3rd party extension - e.g. file upload in a contact form with knowing the target location. The attacked victim requires an active and valid backend or install tool user sessions at the time of the attack to be successful. ### Solution Update to TYPO3 versions 9.5.17 or 10.4.2 that mitigates the problem described. ### Additional Considerations The deployment of additional mitigation techniques is suggested as described below. #### Sudo Mode Extension This TYPO3 extension intercepts modifications to security relevant database tables, e.g. those storing user accounts or storages of the file abstraction layer. Modifications need to confirmed by again by the acting user with providing their password again - this technique is known as "sudo mode". This way unintended actions happening in the background can be mitigated. * https://github.com/FriendsOfTYPO3/sudo-mode * https://extensions.typo3.org/extension/sudo_mode #### Content Security Policy [Content Security Policies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) tell (modern) browsers how resources served a particular site are handled - it also it possible to disallow script executions for specific locations. In a TYPO3 context it is suggested to disallow direct script execution at least for locations `/fileadmin/` and `/uploads/`. ``` # in fileadmin/.htaccess <IfModule mod_headers.c> Header add Content-Security-Policy "default-src 'self'; script-src 'none';" </IfModule> ``` ### Credits Thanks to Matteo Bonaker who reported this issue and to TYPO3 security team member Oliver Hader who fixed the issue. ### References * https://typo3.org/security/advisory/typo3-core-sa-2020-006
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-346	Origin Validation Error
CWE-352	Cross-Site Request Forgery (CSRF)
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00398	https://api.first.org/data/v1/epss?cve=CVE-2020-11069
epss	0.00398	https://api.first.org/data/v1/epss?cve=CVE-2020-11069
epss	0.00398	https://api.first.org/data/v1/epss?cve=CVE-2020-11069
epss	0.00398	https://api.first.org/data/v1/epss?cve=CVE-2020-11069
epss	0.00398	https://api.first.org/data/v1/epss?cve=CVE-2020-11069
epss	0.00398	https://api.first.org/data/v1/epss?cve=CVE-2020-11069
epss	0.00398	https://api.first.org/data/v1/epss?cve=CVE-2020-11069
epss	0.00398	https://api.first.org/data/v1/epss?cve=CVE-2020-11069
epss	0.00398	https://api.first.org/data/v1/epss?cve=CVE-2020-11069
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-pqg8-crx9-g8m4
cvssv3.1	8.0	https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11069.yaml
generic_textual	HIGH	https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11069.yaml
cvssv3.1	8.0	https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11069.yaml
generic_textual	HIGH	https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11069.yaml
cvssv3.1	8.0	https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-pqg8-crx9-g8m4
cvssv3.1_qr	HIGH	https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-pqg8-crx9-g8m4
generic_textual	HIGH	https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-pqg8-crx9-g8m4
cvssv3.1	8.0	https://nvd.nist.gov/vuln/detail/CVE-2020-11069
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2020-11069
cvssv3.1	8.0	https://typo3.org/security/advisory/typo3-core-sa-2020-006
generic_textual	HIGH	https://typo3.org/security/advisory/typo3-core-sa-2020-006

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2020-11069
		https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11069.yaml
		https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11069.yaml
		https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-pqg8-crx9-g8m4
		https://nvd.nist.gov/vuln/detail/CVE-2020-11069
		https://typo3.org/security/advisory/typo3-core-sa-2020-006
GHSA-pqg8-crx9-g8m4		https://github.com/advisories/GHSA-pqg8-crx9-g8m4

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11069.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11069.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-pqg8-crx9-g8m4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2020-11069

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://typo3.org/security/advisory/typo3-core-sa-2020-006

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.60485
EPSS Score	0.00398
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:00:33.504272+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-pqg8-crx9-g8m4/GHSA-pqg8-crx9-g8m4.json	38.0.0