How severe is CVE-2020-11066?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 10 out of 10.

What type of vulnerability is CVE-2020-11066?

This is classified as CWE-915, which is a common weakness in software security.

CVE-2020-11066

CRITICAL Year: 2020

CVSS v3 Score

10.0

Critical

CVSS v2 Score

6.4

Medium

Weakness Type

CWE-915

View all →

Vulnerability Description

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the web site (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. This has been fixed in 9.5.17 and 10.4.2.

CVE-2021-21304

CRITICAL

CVSS:9.8(Critical)

Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "...

CWE-9152021

CVE-2022-24802

CRITICAL

CVSS:9.8(Critical)

deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecord...

CWE-9152022

CVE-2022-31106

CRITICAL

CVSS:9.8(Critical)

Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An atta...

CWE-9152022

CVE-2022-43441

CRITICAL

CVSS:9.8(Critical)

A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attac...

CWE-9152022

CVE-2024-5452

CRITICAL

CVSS:9.8(Critical)

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attribute...

CWE-9152024

CVE-2024-55636

CRITICAL

CVSS:9.8(Critical)

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. ...

CWE-9152024

CVE-2020-11066

Vulnerability Description

Related Vulnerabilities

CVE-2021-21304

CVE-2022-24802

CVE-2022-31106

CVE-2022-43441

CVE-2024-5452

CVE-2024-55636