CVE-2020-28917 : Vulnerability Insights and Analysis

An issue was discovered in the view_statistics (aka View frontend statistics) extension before 2.0.1 for TYPO3. It saves all GET and POST data of TYPO3 frontend requests to the database. Depending on the extensions used on a TYPO3 website, sensitive data (e.g., cleartext passwords if ext:felogin is installed) may be saved.

Understanding CVE-2020-28917

This CVE involves a security vulnerability in the view_statistics extension for TYPO3.

What is CVE-2020-28917?

CVE-2020-28917 is a vulnerability in the view_statistics extension of TYPO3 that allows the saving of sensitive data from frontend requests to the database.

The Impact of CVE-2020-28917

The impact of this vulnerability includes high confidentiality and integrity impacts as sensitive data like cleartext passwords can be stored in the database.

Technical Details of CVE-2020-28917

This section provides technical details of the CVE.

Vulnerability Description

The vulnerability in the view_statistics extension allows the saving of all GET and POST data from TYPO3 frontend requests, potentially exposing sensitive information.

Affected Systems and Versions

Product: Not applicable
Vendor: Not applicable
Versions affected: Before 2.0.1 of the view_statistics extension for TYPO3

Exploitation Mechanism

The vulnerability can be exploited by leveraging the extension to save sensitive data from frontend requests to the database.

Mitigation and Prevention

Protecting systems from CVE-2020-28917 is crucial to maintain security.

Immediate Steps to Take

Update the view_statistics extension to version 2.0.1 or newer.
Regularly monitor database entries for any unauthorized or sensitive data.

Long-Term Security Practices

Implement data encryption for sensitive information stored in the database.
Conduct regular security audits to identify and address any vulnerabilities.

Patching and Updates

Apply patches and updates provided by TYPO3 to address this vulnerability.