TYPO3 Cross-Site Scripting in Filelist Module

2024-05-3018:35:47

CWE-79

GitHub Advisory Database

github.com

typo3

filelist module

cross-site scripting

vulnerability

file system

server

AI Score

6.5

Confidence

High

JSON

It has been discovered that the output table listing in the “Files” backend module is vulnerable to cross-site scripting when a file extension contains malicious sequences.

Access to the file system of the server - either directly or through synchronization - is required to exploit the vulnerability.

Affected configurations

Vulners

Node

typo3cms-coreRange9.0.0–9.5.12

typo3cms-coreRange8.0.0–8.7.30

typo3cms-coreRange10.0.0–10.2.1

VendorProductVersionCPE
typo3cms-core*cpe:2.3:a:typo3:cms-core:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
typo3	cms-core	*	cpe:2.3:a:typo3:cms-core::::::::

References

github.com/advisories/GHSA-6xwf-7rfm-4gwc

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-12-17-3.yaml

typo3.org/security/advisory/typo3-core-sa-2019-023

AI Score

6.5

Confidence

High

JSON