CVE-2019-16699

CRITICAL

sr_freecap < 2.4.5 and 2.5.0-2.5.2 - Remote Code Execution via Extbase Action Injection

Title source: llm
STIX 2.1

Description

The sr_freecap (aka freeCap CAPTCHA) extension 2.4.5 and below and 2.5.2 and below for TYPO3 fails to sanitize user input, which allows execution of arbitrary Extbase actions, resulting in Remote Code Execution.

References (2)

Core 2
Core References
Third Party Advisory x_refsource_misc
https://extensions.typo3.org/extension/sr_freecap
Third Party Advisory x_refsource_confirm
https://typo3.org/security/advisory/typo3-ext-sa-2019-018/

Scores

CVSS v3 9.8
EPSS 0.0243
EPSS Percentile 82.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (2)
sjbr/sr-freecap 2.5.0 - 2.5.3Packagist
sr_freecap_project/sr_freecap 2.4.0 - 2.4.5
Published Oct 16, 2019
Tracked Since Feb 18, 2026