Login Sign Up

CVE-2021-43563

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to bypass access controls in the pixxio extension for TYPO3, enabling them to make API requests and download media files from the Digital Asset Management system. It affects TYPO3 installations using the pixxio extension before version 1.0.6.

💻 Affected Systems

Products:
  • TYPO3 pixxio extension (pixx.io integration/DAM)
Versions: All versions before 1.0.6
Operating Systems: Any OS running TYPO3
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects TYPO3 installations with the pixxio extension installed and configured.

📦 What is this software?

Pixx.io by Pixxio

View all CVEs affecting Pixx.io →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all media assets in the DAM system, including sensitive or proprietary files, leading to data breach and intellectual property theft.

🟠

Likely Case

Unauthorized access and download of media files from the DAM system, potentially exposing sensitive content.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, though the vulnerability still exists.

🌐 Internet-Facing: HIGH - The vulnerability allows unauthenticated access, making internet-facing TYPO3 instances particularly vulnerable to exploitation.
🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but may have additional network protections.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is straightforward to exploit as it requires no authentication and involves simple API requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.6

Vendor Advisory: https://typo3.org/security/advisory/typo3-ext-sa-2021-017

Restart Required: No

Instructions:

1. Update the pixxio extension to version 1.0.6 or later via TYPO3 Extension Manager. 2. Clear TYPO3 caches. 3. Verify the extension version in the Extension Manager.

🔧 Temporary Workarounds

Disable pixxio extension

all

Temporarily disable the vulnerable pixxio extension until patching is possible.

typo3cms extension:deactivate pixxio

Restrict network access

linux

Block external access to TYPO3 instance or restrict to trusted IPs.

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Remove the pixxio extension completely from the TYPO3 installation.
  • Implement strict network access controls to limit exposure to the TYPO3 instance.

🔍 How to Verify

Check if Vulnerable:

Check the installed version of the pixxio extension in TYPO3 Extension Manager or via database query: SELECT * FROM sys_extension WHERE ext_key='pixxio' AND version < '1.0.6';

Check Version:

typo3cms extension:list | grep pixxio

Verify Fix Applied:

Confirm pixxio extension version is 1.0.6 or higher in TYPO3 Extension Manager.

📡 Detection & Monitoring

Log Indicators:

  • Unusual API requests to pixx.io endpoints from unauthenticated users
  • Multiple media file download requests from unknown IPs

Network Indicators:

  • HTTP requests to /typo3conf/ext/pixxio/ endpoints without authentication
  • Outbound connections to pixx.io API from TYPO3 server

SIEM Query:

source="typo3.log" AND ("pixxio" OR "pixx.io") AND status="200" AND user="-"

📊 Metadata

CVE ID: CVE-2021-43563
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: November 10, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON