From owner-svn-ports-head@freebsd.org  Wed Dec 25 12:25:57 2019
Return-Path: <owner-svn-ports-head@freebsd.org>
Delivered-To: svn-ports-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0787B1DBEF7;
 Wed, 25 Dec 2019 12:25:57 +0000 (UTC)
 (envelope-from joneum@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47jXPJ6Pr6z3N3W;
 Wed, 25 Dec 2019 12:25:56 +0000 (UTC)
 (envelope-from joneum@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D2D0C186BE;
 Wed, 25 Dec 2019 12:25:56 +0000 (UTC)
 (envelope-from joneum@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id xBPCPuJa046005;
 Wed, 25 Dec 2019 12:25:56 GMT (envelope-from joneum@FreeBSD.org)
Received: (from joneum@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id xBPCPu4H046004;
 Wed, 25 Dec 2019 12:25:56 GMT (envelope-from joneum@FreeBSD.org)
Message-Id: <201912251225.xBPCPu4H046004@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: joneum set sender to
 joneum@FreeBSD.org using -f
From: Jochen Neumeister <joneum@FreeBSD.org>
Date: Wed, 25 Dec 2019 12:25:56 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r520853 - head/security/vuxml
X-SVN-Group: ports-head
X-SVN-Commit-Author: joneum
X-SVN-Commit-Paths: head/security/vuxml
X-SVN-Commit-Revision: 520853
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-head>, 
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Dec 2019 12:25:57 -0000

Author: joneum
Date: Wed Dec 25 12:25:56 2019
New Revision: 520853
URL: https://svnweb.freebsd.org/changeset/ports/520853

Log:
  Add entry for typo3
  
  PR:		242707 242708
  Sponsored by:	Netzkommune GmbH

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Wed Dec 25 12:21:47 2019	(r520852)
+++ head/security/vuxml/vuln.xml	Wed Dec 25 12:25:56 2019	(r520853)
@@ -58,6 +58,93 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="1c9178aa-2709-11ea-9673-4c72b94353b5">
+    <topic>typo3 -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>typo3-8</name>
+	<range><lt>8.7.30</lt></range>
+      </package>
+      <package>
+	<name>typo3-9</name>
+	<range><lt>9.5.13</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Typo3 core team reports:</p>
+	<blockquote cite="https://typo3.org/article/typo3-10-2-1-9-5-12-and-8-7-30-security-releases-published">
+	  <p>It has been discovered that the output of field validation errors in the Form Framework is vulnerable
+	    to cross-site scripting.</p>
+	  <p>It has been discovered that t3:// URL handling and typolink functionality are vulnerable to cross-site
+	    scripting. Not only regular backend forms are affected but also frontend extensions which use the rendering
+	    with typolink.</p>
+	  <p>It has been discovered that the output table listing in the Files backend module is vulnerable to cross-site
+	    scripting when a file extension contains malicious sequences. Access to the file system of the server - either
+	    directly or through synchronization - is required to exploit the vulnerability.</p>
+	  <p>It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable
+	    to directory traversal. Admin privileges are required in order to exploit this vulnerability. Since TYPO3 v9 LTS,
+	    System Maintainer privileges are required as well.</p>
+	  <p>Failing to properly escape user submitted content, class QueryGenerator is vulnerable to SQL injection.
+	    Having system extension ext:lowlevel installed and a valid backend user having administrator privileges are
+	    required to exploit this vulnerability.</p>
+	  <p>It has been discovered that classes QueryGenerator and QueryView are vulnerable to insecure deserialization.
+	    Requirements for successfully exploiting this vulnerability (one of the following):
+	    - having system extension ext:lowlevel (Backend Module: DB Check) installed and valid backend user having
+	    administrator privileges
+	    - having system extension ext:sys_action installed and valid backend user having limited privileges</p>
+	  <p>TYPO3 allows to upload files either in the backend user interface as well as in custom developed extensions.
+	    To reduce the possibility to upload potential malicious code TYPO3 uses the fileDenyPattern to deny e.g. user
+	    submitted PHP scripts from being persisted. Besides that it is possible for any editor to upload file assets
+	    using the file module (fileadmin) or changing their avatar image shown in the TYPO3 backend.
+
+	    Per default TYPO3 allows to upload and store HTML and SVG files as well using the mentioned functionalities.
+	    Custom extension implementations probably would also accept those files when only the fileDenyPattern is evaluated.
+
+	    Since HTML and SVG files - which might contain executable JavaScript code per W3C standard - could be directly
+	    displayed in web clients, the whole web application is exposed to be vulnerable concerning Cross-Site Scripting.
+	    Currently the following scenarios are known - given an authenticated regular editor is able to upload files using
+	    the TYPO3 backend:
+	    - directly target a potential victim to a known public resource in a URL, e.g. /fileadmin/malicious.svg or
+	    /fileadmin/malicious.html
+	    - using the TypoScript content object “SVG” (implemented in class ScalableVectorGraphicsContentObject)
+	    having renderMode set to inline for SVG files (available since TYPO3 v9.0)
+	    - custom implementations that directly output and render markup of HTML and SVG files
+
+	    SVG files that are embedded using an img src=”malicious.svg” tag are not vulnerable since potential
+	    scripts are not executed in these scenarios (see https://www.w3.org/wiki/SVG_Security). The icon API of TYPO3
+	    is not scope of this announcement since SVG icons need to be registered using an individual implementation,
+	      which is not considered as user submitted content.</p>
+	    <p>It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization.
+	      User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey
+	      as secret - invalid or unsigned payload is not deserialized.
+
+	      However, since sensitive information could have been leaked by accident (e.g. in repositories or in commonly
+	      known and unprotected backup files), there is the possibility that attackers know the private encryptionKey
+	      and are able to calculate the required HMAC-SHA1 to allow a malicious payload to be deserialized.
+
+	      Requirements for successfully exploiting this vulnerability (all of the following):
+	      - rendering at least one Extbase plugin in the frontend
+	      - encryptionKey has been leaked (from LocalConfiguration.php or corresponding .env file). </p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://typo3.org/security/advisory/typo3-core-sa-2019-021/</url>
+      <url>https://typo3.org/security/advisory/typo3-core-sa-2019-022/</url>
+      <url>https://typo3.org/security/advisory/typo3-core-sa-2019-023/</url>
+      <url>https://typo3.org/security/advisory/typo3-core-sa-2019-024/</url>
+      <url>https://typo3.org/security/advisory/typo3-core-sa-2019-025/</url>
+      <url>https://typo3.org/security/advisory/typo3-core-sa-2019-026/</url>
+      <url>https://typo3.org/security/advisory/typo3-psa-2019-010/</url>
+      <url>https://typo3.org/security/advisory/typo3-psa-2019-011/</url>
+    </references>
+    <dates>
+      <discovery>2019-12-17</discovery>
+      <entry>2019-12-25</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="ad3451b9-23e0-11ea-8b36-f1925a339a82">
     <topic>e2fsprogs -- maliciously corrupted file systems can trigger buffer overruns in the quota code used by e2fsck</topic>
     <affects>