Allele Security Alert
ASA-2019-00583
Identifier(s)
ASA-2019-00583, CVE-2019-16700, EXT-SA-2019-017
Title
Event Registration (slub_events): Multiple vulnerabilities
Vendor(s)
Saxony State and University Library (SLUB) Dresden
Product(s)
TYPO3 extension SLUB: Event Registration (slub_events)
Affected version(s)
TYPO3 extension SLUB: Event Registration (slub_events) versions before 3.0.3
Fixed version(s)
TYPO3 extension SLUB: Event Registration (slub_events) version 3.0.3
Proof of concept
Unknown
Description
The extension allows to upload arbitrary files to the webserver. For versions 1.2.2 and below, this vulnerability results in Remote Code Execution. In versions later than 1.2.2, the vulnerability can result in Denial of Service, since the webspace can be filled up with arbitrary files. The extension also includes jQuery 2.2.4 which is known to be vulnerable against Cross Site Scripting.
Technical details
Unknown
Credits
Torben Hansen
Reference(s)
Multiple vulnerabilities in extension “SLUB: Event Registration” (slub_events)
https://typo3.org/security/advisory/typo3-ext-sa-2019-017/
[TYPO3-announce] [Ticket#201910155760000011] Vulnerabilities in multiple third party TYPO3 CMS extensions
http://lists.typo3.org/pipermail/typo3-announce/2019/000452.html
SLUB: Event Registration
https://extensions.typo3.org/extension/slub_events/
EXT:slub_events
https://github.com/slub/slub_events
CVE-2019-16700
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16700
CVE-2019-16700
https://nvd.nist.gov/vuln/detail/CVE-2019-16700
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 22, 2019