Voozh

sr_freecap for Typo3 RCE Vulnerability

Critical severity GitHub Reviewed Published to the GitHub Advisory Database • Updated

Package

sjbr/sr-freecap (Composer)

Affected versions

>= 2.5.0, < 2.5.3

< 2.4.6

Patched versions

2.5.3

2.4.6

Description

The sr_freecap (aka freeCap CAPTCHA) extension 2.4.5 and below and 2.5.2 and below for TYPO3 fails to sanitize user input, which allows execution of arbitrary Extbase actions, resulting in Remote Code Execution.

References

https://nvd.nist.gov/vuln/detail/CVE-2019-16699
https://extensions.typo3.org/extension/sr_freecap
https://typo3.org/security/advisory/typo3-ext-sa-2019-018/

Published by the National Vulnerability Database

Published to the GitHub Advisory Database

Reviewed

Last updated

Severity

Critical

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS score

(82nd percentile)

Weaknesses

CVE ID

CVE-2019-16699

GHSA ID

GHSA-598p-rv6p-g7qc

Source code

mavolkmer/sr-freecap

See something to contribute? Suggest improvements for this vulnerability.

URL: https://github.com/advisories/GHSA-598p-rv6p-g7qc

⇱ sr_freecap for Typo3 RCE Vulnerability · CVE-2019-16699 · GitHub Advisory Database · GitHub

sr_freecap for Typo3 RCE Vulnerability

Package

Affected versions

Patched versions

Description

References

Severity

CVSS v3 base metrics

EPSS score

Weaknesses

CVE ID

GHSA ID

Source code