svn commit: r418774 - head/security/vuxml

Torsten Zuehlsdorff tz at FreeBSD.org
Tue Jul 19 12:55:45 UTC 2016 

Author: tz
Date: Tue Jul 19 12:55:43 2016
New Revision: 418774
URL: https://svnweb.freebsd.org/changeset/ports/418774

Log:
  www/typo3 and www/typo3-lts: Document missing access check in Extbase
  
  PR:          210870, 210871
  Security:    CVE-2016-5091
  Security:    https://vuxml.freebsd.org/freebsd/3caf4e6c-4cef-11e6-a15f-00248c0c745d.html
  Approved by: junovitch (mentor)

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Tue Jul 19 12:30:09 2016	(r418773)
+++ head/security/vuxml/vuln.xml	Tue Jul 19 12:55:43 2016	(r418774)
@@ -58,6 +58,44 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="3caf4e6c-4cef-11e6-a15f-00248c0c745d">
+    <topic>typo3 -- Missing access check in Extbase</topic>
+    <affects>
+      <package>
+       <name>typo3</name>
+       <range><lt>7.6.8</lt></range>
+      </package>
+      <package>
+       <name>typo3-lts</name>
+       <range><lt>6.2.24</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>TYPO3 reports:</p>
+	<blockquote cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/">
+	  <p>Extbase request handling fails to implement a proper access check for
+    requested controller/ action combinations, which makes it possible for an
+    attacker to execute arbitrary Extbase actions by crafting a special request. To
+    successfully exploit this vulnerability, an attacker must have access to at
+    least one Extbase plugin or module action in a TYPO3 installation. The missing
+    access check inevitably leads to information disclosure or remote code
+    execution, depending on the action that an attacker is able to execute.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-5091</cvename>
+      <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/</url>
+      <url>https://wiki.typo3.org/TYPO3_CMS_7.6.8</url>
+      <url>https://wiki.typo3.org/TYPO3_CMS_6.2.24</url>
+    </references>
+    <dates>
+      <discovery>2016-05-24</discovery>
+      <entry>2016-07-18</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="cf0b5668-4d1b-11e6-b2ec-b499baebfeaf">
     <topic>Multiple ports -- Proxy HTTP header vulnerability (httpoxy)</topic>
     <affects>

More information about the svn-ports-head mailing list