CVE-2020-26229: Improper Restriction of XML External Entity Reference

November 23, 2020 (updated December 1, 2020)

TYPO3 is an open source PHP based web content management system. In TYPO3 from, and, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed.

References

nvd.nist.gov/vuln/detail/CVE-2020-26229
typo3.org/security/advisory/typo3-core-sa-2020-012

Detect and mitigate CVE-2020-26229 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →