CVE-2024-22188 - authenticated remote code execution in TYPO3
Abstract
TYPO3 <=11.5.32 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection vulnerability in a form field of the Settings dialog.
Attack Vector
A Typo3 Admin with system maintainer Privileges can execute arbitrary shell commands on the respective server. A form field in the Settings dialog is prone to command injection.
Proof of Concept Details
To exploit this vulnerability, open Admintools => Settings => Configure Installation Wide options and set the value of
[GFX][processor_stripColorProfileCommand]
to +profile '*'; <exploit_code>#
Then execute the injected code by clicking Admintools => Environment => Image Processing => Test Images.
Timeline
- day 0 pentest for undisclosed customer
- day 14 issue was reported to Typo3
- day 14 CVE was requested with MITRE
- day 14 Typo3 acknowledged the issue
- day 15 MITRE issued CVE-2024-22188
- day 39 Typo3 released fixed versions
Credit
djo@mioso.com