Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWYzcmYtdjlxbS05Yzg5

Moderate EPSS: 0.00691% (0.70898 Percentile) EPSS:
Permalink JSON

Cross-site Scripting in the femanager TYPO3 extension

Affected Packages Affected Versions Fixed Versions
packagist:in2code/femanager >= 6.0.0, < 6.3.1, < 5.5.1 6.3.1, 5.5.1
5 Dependent packages
8 Dependent repositories
645,216 Downloads total

Affected Version Ranges

All affected versions

2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.3.0, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.3.1, 5.4.0, 5.4.1, 5.4.2, 5.5.0, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.2.1, 6.3.0

All unaffected versions

5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.4.0, 6.4.1, 6.4.2, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.3.0, 7.4.0, 7.4.1, 7.4.2, 7.5.0, 7.5.1, 7.5.2, 8.0.0, 8.0.1, 8.1.0, 8.2.0, 8.2.1, 8.2.2, 8.3.0

The extension allows by default to upload SVG files when a logged in frontend user uploads a new profile image. This may lead to Cross-Site Scripting, when the uploaded SVG image is used as is on the website.

Note: If SVG uploads are required, it is recommended to use the TYPO3 extension svg_sanitizer (added to TYPO3 core since versions 9.5.28, 10.4.18 and 11.3.0) to prevent upload of malicious SVG files or to set up a strict Content Security Policy for the destination folder of uploaded images.

References:

Identifiers

GHSA-f3rf-v9qm-9c89

CVE-2021-36787

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00691

EPSS Percentile: 0.70898

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/in2code-de/femanager

Date and time

Published

almost 4 years ago

Updated

over 2 years ago

API

JSON