CVE-2021-43562

EPSS 1.47%
Veröffentlicht 10.11.2021 15:15:12
Zuletzt bearbeitet 21.11.2024 06:29:26
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in the pixxio (aka pixx.io integration or DAM) extension before 1.0.6 for TYPO3. The extension fails to restrict the image download to the configured pixx.io DAM URL, resulting in SSRF. As a result, an attacker can download various content from a remote location and save it to a user-controlled filename, which may result in Remote Code Execution. A TYPO3 backend user account is required to exploit this.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pixxio ≫ Pixx.Io SwPlatformtypo3 Version < 1.0.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.47%	0.791

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://typo3.org/security/advisory/typo3-ext-sa-2021-017

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-43562

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-43562

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-43562

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-43562