Lucene search
GitHub Advisory DatabaseGHSA-8C25-VJ2W-P72JHistoryMay 30, 2024 - 2:59 p.m.
TYPO3 Cross-Site Scripting in Frontend User Login
2024-05-3014:59:25
CWE-79
GitHub Advisory Database
github.com
3
typo3
cross-site scripting
frontend
user login
input encoding
vulnerability
website
template patterns
felogin
typoscript
software
user account
6.4 Medium
AI Score
Confidence
High
Failing to properly encode user input, login status display is vulnerable to cross-site scripting in the website frontend. A valid user account is needed in order to exploit this vulnerability - either a backend user or a frontend user having the possibility to modify their user profile.
Template patterns that are affected are
- ###FEUSER_[fieldName]### using system extension felogin
- for regular frontend rendering (pattern can be defined individually using TypoScript setting config.USERNAME_substToken)
Affected configurations
Node
typo3cms_poll_system_extensionRange<7.6.32
ORtypo3cms_poll_system_extensionRange<9.5.2
ORtypo3cms_poll_system_extensionRange<8.7.21
| CPE | Name | Operator | Version |
|---|---|---|---|
| typo3/cms-core | lt | 7.6.32 | |
| typo3/cms-core | lt | 9.5.2 | |
| typo3/cms-core | lt | 8.7.21 |
6.4 Medium
AI Score
Confidence
High