Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13cDhqLWM3MzYtYzVyM84AA8kR

TYPO3 Cross-Site Scripting Vulnerability Exploitable by Editors

It has been discovered that link tags generated by typolink functionality in the website's frontend are vulnerable to cross-site scripting - values being assigned to HTML attributes have not been parsed correctly. A valid backend user account is needed to exploit this vulnerability.

As second and separate vulnerability in the filelist module of the backend user interface has been referenced with this advisory as well. Error messages being shown after using a malicious name for renaming a file are not propery encoded, thus vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability.

Permalink: https://github.com/advisories/GHSA-wp8j-c736-c5r3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13cDhqLWM3MzYtYzVyM84AA8kR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-wp8j-c736-c5r3
References:

Repository: https://github.com/TYPO3/typo3
Blast Radius: 14.1

Affected Packages

packagist:typo3/cms

Dependent packages: 380
Dependent repositories: 407
Downloads: 1,861,876 total
Affected Version Ranges: >= 7.0.0, < 7.3.1, >= 6.2.0, < 6.2.14
Fixed in: 7.3.1, 6.2.14
All affected versions: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 7.0.0, 7.0.1, 7.0.2, 7.1.0, 7.2.0, 7.3.0
All unaffected versions: 6.2.14, 6.2.15, 6.2.16, 6.2.17, 6.2.18, 6.2.19, 6.2.20, 6.2.21, 6.2.22, 6.2.23, 6.2.24, 6.2.25, 6.2.26, 6.2.27, 6.2.28, 6.2.29, 6.2.30, 6.2.31, 7.3.1, 7.4.0, 7.5.0, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.6.4, 7.6.5, 7.6.6, 7.6.7, 7.6.8, 7.6.9, 7.6.10, 7.6.11, 7.6.12, 7.6.13, 7.6.14, 7.6.15, 7.6.16, 7.6.17, 7.6.18, 7.6.19, 7.6.20, 7.6.21, 7.6.22, 7.6.23, 7.6.24, 7.6.25, 7.6.26, 7.6.27, 7.6.28, 7.6.29, 7.6.30, 7.6.31, 7.6.32, 8.0.0, 8.0.1, 8.1.0, 8.1.1, 8.1.2, 8.2.0, 8.2.1, 8.3.0, 8.3.1, 8.4.0, 8.4.1, 8.5.0, 8.5.1, 8.6.0, 8.6.1, 8.7.0, 8.7.1, 8.7.2, 8.7.3, 8.7.4, 8.7.5, 8.7.6, 8.7.7, 8.7.8, 8.7.9, 8.7.10, 8.7.11, 8.7.12, 8.7.13, 8.7.14, 8.7.15, 8.7.16, 8.7.17, 8.7.18, 8.7.19, 8.7.20, 8.7.21, 8.7.22, 8.7.23, 8.7.24, 8.7.25, 8.7.26, 8.7.27, 8.7.28, 8.7.29, 8.7.30, 8.7.31, 8.7.32, 9.0.0, 9.1.0, 9.2.0, 9.2.1, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.4.0, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 9.5.5, 9.5.6, 9.5.7, 9.5.8, 9.5.9, 9.5.10, 9.5.11, 9.5.12, 9.5.13, 9.5.14, 9.5.15, 9.5.16, 9.5.17, 9.5.18, 9.5.19, 9.5.20, 9.5.21, 9.5.22, 9.5.23, 9.5.24, 9.5.25, 9.5.26, 9.5.27, 9.5.28, 9.5.29, 9.5.30, 9.5.31, 10.0.0, 10.1.0, 10.2.0, 10.2.1, 10.2.2, 10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.4.7, 10.4.8, 10.4.9, 10.4.10, 10.4.11, 10.4.12, 10.4.13, 10.4.14, 10.4.15, 10.4.16, 10.4.17, 10.4.18, 10.4.19, 10.4.20, 10.4.21, 10.4.22, 10.4.23, 10.4.24, 10.4.25, 10.4.26, 10.4.27, 10.4.28, 10.4.29, 10.4.30, 10.4.31, 10.4.32, 10.4.33, 10.4.34, 10.4.35, 10.4.36, 10.4.37, 11.0.0, 11.1.0, 11.1.1, 11.2.0, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.4.0, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.5.11, 11.5.12, 11.5.13, 11.5.14, 11.5.15, 11.5.16, 11.5.17, 11.5.18, 11.5.19, 11.5.20, 11.5.21, 11.5.22, 11.5.23, 11.5.24, 11.5.25, 11.5.26, 11.5.27, 11.5.28, 11.5.29, 11.5.30, 11.5.31, 11.5.32, 11.5.33, 11.5.34, 11.5.35, 11.5.36, 11.5.37, 11.5.38, 11.5.39, 11.5.40, 11.5.41, 12.0.0, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.2.0, 12.3.0, 12.4.0, 12.4.1, 12.4.2, 12.4.3, 12.4.4, 12.4.5, 12.4.6, 12.4.7, 12.4.8, 12.4.9, 12.4.10, 12.4.11, 12.4.12, 12.4.13, 12.4.14, 12.4.15, 12.4.16, 12.4.17, 12.4.18, 12.4.19, 12.4.20, 12.4.21, 12.4.22, 13.0.0, 13.0.1, 13.1.0, 13.1.1, 13.2.0, 13.2.1, 13.3.0, 13.3.1, 13.4.0