GHSA-hww5-6x85-mc24: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-hww5-6x85-mc24) was identified in TYPO3 CMS's Backend API, affecting versions 8.0.0-8.7.26 and 9.0.0-9.5.7. Discovered and disclosed on June 25, 2019, this security issue involves arbitrary code execution and cross-site scripting vulnerabilities in the Backend API configuration using Page TSconfig (TYPO3 Advisory).

The vulnerability is classified as medium severity and affects the Backend API (ext:backend) component. The suggested CVSS v3.0 score parameters are AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:H/MUI:X/MS:X/MC:X/MI:X/MA:X. The TSconfig fields of page properties in backend forms can be exploited to inject malicious sequences, and the tsconfig_includes field is vulnerable to directory traversal (TYPO3 Advisory).

The vulnerability allows for arbitrary code execution and cross-site scripting attacks. When exploited, it could lead to unauthorized access to TSconfig settings through directory traversal, potentially compromising the security of the affected TYPO3 installations (TYPO3 Advisory).

The vulnerability has been patched in TYPO3 versions 8.7.27 and 9.5.8. The fix includes denying non-admin users from modifying the pages.TSconfig and pages.tsconfig_includes fields. Users are strongly advised to update to these patched versions (TYPO3 Advisory).

The vulnerability was reported by Benjamin Kott and Oliver Hader, with TYPO3 core team member Andreas Fernandez implementing the fix. The TYPO3 community acknowledged their contributions in addressing this security issue (TYPO3 Advisory).