SCA: security update for typo3/cms, typo3/cms-core (GHSA-pqg8-crx9-g8m4)

high Tenable Self-Hosted Container Security Plugin ID 423525

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user
interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked
into interacting with a malicious resource an attacker previously managed to upload to the web server.
Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new
admin users can be created which can directly be used by an attacker. The vulnerability is basically a
cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on
the same target host - thus, it's actually a same-site request forgery. Malicious payload such as HTML
containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated
user using a third party extension, e.g. file upload in a contact form with knowing the target location.
To be successful, the attacked victim requires an active and valid backend or install tool user session at
the time of the attack. This has been fixed in 9.5.17 and 10.4.2. The deployment of additional mitigation
techniques is suggested as described below. - Sudo Mode Extension This TYPO3 extension intercepts
modifications to security relevant database tables, e.g. those storing user accounts or storages of the
file abstraction layer. Modifications need to confirmed again by the acting user providing their password
again. This technique is known as sudo mode. This way, unintended actions happening in the background can
be mitigated. - https://github.com/FriendsOfTYPO3/sudo-mode -
https://extensions.typo3.org/extension/sudo_mode - Content Security Policy Content Security Policies tell
(modern) browsers how resources served a particular site are handled. It is also possible to disallow
script executions for specific locations. In a TYPO3 context, it is suggested to disallow direct script
execution at least for locations /fileadmin/ and /uploads/. (CVE-2020-11069)

See Also

https://github.com/advisories/GHSA-pqg8-crx9-g8m4

Plugin Details

Severity: High

ID: 423525

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 3/29/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-11069

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/13/2020

Vulnerability Publication Date: 5/13/2020

Reference Information

CVE: CVE-2020-11069