CVE-2020-15086: 
PHP vulnerability analysis and mitigation

In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, a critical vulnerability was discovered that allows injection of arbitrary data with a valid cryptographic message authentication code (HMAC-SHA1). The vulnerability was assigned CVE-2020-15086 and was disclosed on July 28, 2020. The affected component is the TYPO3 Media Content Element extension (GHSA Advisory).

The vulnerability stems from an internal verification mechanism that can be used to generate arbitrary checksums. This allows attackers to inject arbitrary data with valid HMAC-SHA1 signatures. The vulnerability has a CVSS v3.1 score of 9.1 (Critical) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C. The issue was fixed by restricting file validation hash generation and removing the ability to provide arbitrary addition parameters for HMAC generation (GitHub Commit).

The vulnerability can lead to various attack chains including potential privilege escalation (CVE-2020-15099) if the database server is accessible, and insecure deserialization & remote code execution (CVE-2016-5091) if an attacker has access to at least one Extbase plugin or module action. The vulnerability requires no privileges to exploit and can result in complete system compromise (GHSA Advisory).

Users are advised to either uninstall the extension if not required, or update to version 7.6.5 which contains the fix. As a precautionary measure, it is recommended to change the encryptionKey and database credentials in typo3conf/LocalConfiguration.php. The patched version is available through the TYPO3 extension manager, Packagist, and the TYPO3 extension repository (GHSA Advisory).