Allele Security Alert
ASA-2019-00584
Identifier(s)
ASA-2019-00584, CVE-2019-16699, EXT-SA-2019-018
Title
Remote Code Execution
Vendor(s)
SJBR
Product(s)
TYPO3 extension freeCap CAPTCHA (sr_freecap)
Affected version(s)
TYPO3 extension freeCap CAPTCHA (sr_freecap) versions before 2.5.3
TYPO3 extension freeCap CAPTCHA (sr_freecap) versions before 2.4.6
Fixed version(s)
TYPO3 extension freeCap CAPTCHA (sr_freecap) version 2.5.3
TYPO3 extension freeCap CAPTCHA (sr_freecap) version 2.4.6
Proof of concept
Unknown
Description
The extension fails to sanitize user input which allows to execute arbitrary Extbase actions resulting in Remote Code Execution.
Technical details
Unknown
Credits
Kai Ullrich (Code White GmbH)
Reference(s)
Remote Code Execution in extension “freeCap CAPTCHA” (sr_freecap)
https://typo3.org/security/advisory/typo3-ext-sa-2019-018/
freeCap CAPTCHA (sr_freecap)
https://extensions.typo3.org/extension/sr_freecap/
[TYPO3-announce] [Ticket#201910155760000011] Vulnerabilities in multiple third party TYPO3 CMS extensions
http://lists.typo3.org/pipermail/typo3-announce/2019/000452.html
62009:[BUGFIX] Resolves Security Ticket#201907155760000027
https://review.typo3.org/c/TYPO3CMS/Extensions/sr_freecap/+/62009
[BUGFIX] Resolves Security Ticket#201907155760000027
https://github.com/TYPO3-extensions/sr_freecap/commit/21b2da5b363600c8cd2d196c23ea96a3002fddfa
CVE-2019-16699
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16699
CVE-2019-16699
https://nvd.nist.gov/vuln/detail/CVE-2019-16699
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 22, 2019