CVE-2019-16699
CRITICALsr_freecap < 2.4.5 and 2.5.0-2.5.2 - Remote Code Execution via Extbase Action Injection
Title source: llmDescription
The sr_freecap (aka freeCap CAPTCHA) extension 2.4.5 and below and 2.5.2 and below for TYPO3 fails to sanitize user input, which allows execution of arbitrary Extbase actions, resulting in Remote Code Execution.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://extensions.typo3.org/extension/sr_freecap
Third Party Advisory x_refsource_confirm
https://typo3.org/security/advisory/typo3-ext-sa-2019-018/
Scores
CVSS v3
9.8
EPSS
0.0243
EPSS Percentile
82.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (2)
sjbr/sr-freecap
2.5.0 - 2.5.3Packagist
sr_freecap_project/sr_freecap
2.4.0 - 2.4.5
Published
Oct 16, 2019
Tracked Since
Feb 18, 2026