- Release Date: November 17, 2020
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Component: View frontend statistics (view_statistics)
- Vulnerability Type: Sensitive Data Exposure
- Affected Versions: 2.0.0 and below
- Severity: High
- Suggested CVSS v3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C
- References: CVE-2020-28917
The extension saves all GET and POST data of TYPO3 frontend requests to the database. Depending on the extensions used on a TYPO3 website, sensitive data (e.g. plain text passwords if ext:felogin is installed) may be saved.
An updated version 2.0.1 is available from the TYPO3 extension manager and at
Users of the extension are advised to update the extension as soon as possible.
Important: Updating the extension does not fully resolve the problem, since sensitive data may already have been saved to the database. Users of the extension are advised to delete the field “request_params” in the table “tx_viewstatistics_domain_model_track” either by using the TYPO3 Install Tool (Analyze Database Structure) or manually.
Thanks to Thomas Deuling for reporting the issue and providing an updated version of the extension.