CVE-2020-26229

LOW

TYPO3 10.4.0-10.4.9 - Authenticated XML External Entity Injection in RSS Widgets

Title source: llm

Description

TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. Update to TYPO3 version 10.4.10 to fix the problem described.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_confirm

https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2

Vendor Advisory x_refsource_misc

https://typo3.org/security/advisory/typo3-core-sa-2020-012

Scores

CVSS v3 3.7

EPSS 0.0027

EPSS Percentile 50.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L

Details

CWE

CWE-611

Status published

Products (3)

typo3/cms 10.0.0 - 10.4.10Packagist

typo3/cms-core 10.0.0 - 10.4.10Packagist

typo3/typo3 10.0.0 - 10.4.10

Published Nov 23, 2020

Tracked Since Feb 18, 2026