The be_user_creation task in TYPO3 4.2.x before 4.2.15 and 4.3.x before 4.3.7 allows remote authenticated users to gain privileges via a crafted POST request that creates a user account with arbitrary group memberships.

Threat-Mapped Scoring

Score: 0.0

Priority: Unclassified

EPSS

Score: 0.00413
Percentile: 0.60695

CVSS Scoring

Mapped CWE(s)

• CWE-20 : Improper Input Validation

All CAPEC(s)

CAPEC(s) with Mapped TTPs

Mapped ATT&CK TTPs

• T1562.003 : Impair Command History Logging
  Kill Chain: defense-evasion
• T1574.006 : Dynamic Linker Hijacking
  Kill Chain: persistence
• T1574.007 : Path Interception by PATH Environment Variable
  Kill Chain: persistence
• T1027 : Obfuscated Files or Information
  Kill Chain: defense-evasion
• T1539 : Steal Web Session Cookie
  Kill Chain: credential-access
• T1036.001 : Invalid Code Signature
  Kill Chain: defense-evasion
• T1553.002 : Code Signing
  Kill Chain: defense-evasion

Malware

APTs Threat Group Associations

Campaigns

Affected Products

• cpe:2.3:a:typo3:typo3:4.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.2.2:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.2.3:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.2.4:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.2.5:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.2.6:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.2.7:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.2.8:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.2.9:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.2.10:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.2.11:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.2.12:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.2.13:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.2.14:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.3.1:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.3.2:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.3.3:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.3.4:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.3.5:*:*:*:*:*:*:*
• cpe:2.3:a:typo3:typo3:4.3.6:*:*:*:*:*:*:*

← Back to Home