TYPO3 Cross-Site Scripting in Online Media Asset Rendering

2024-06-0719:43:19

CWE-79

GitHub Advisory Database

github.com

typo3

xss

online media asset

rendering

backend user

server write access

6.7 Medium

AI Score

Confidence

High

JSON

Failing to properly encode user input, online media asset rendering (*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A valid backend user account or write access on the server system (e.g. SFTP) is needed in order to exploit this vulnerability.

Affected configurations

Vulners

Node

typo3cms_poll_system_extensionRange<9.5.2

typo3cms_poll_system_extensionRange<8.7.21

typo3cms_poll_system_extensionRange<7.6.32

CPENameOperatorVersion
typo3/cmslt9.5.2
typo3/cmslt8.7.21
typo3/cmslt7.6.32

Name	Operator	Version
typo3/cms	lt	9.5.2
typo3/cms	lt	8.7.21
typo3/cms	lt	7.6.32

References

github.com/advisories/GHSA-8m6j-p5jv-v69w

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2018-12-11-1.yaml

github.com/TYPO3/typo3/commit/20927adfb8aae0093508c904937e40114b92a90c

github.com/TYPO3/typo3/commit/a32a9a746f807b14571139f0cb7caa00b8d037a5

github.com/TYPO3/typo3/commit/c9174937802581bfecfaa788512a4f6e5cf8e9c7

typo3.org/security/advisory/typo3-core-sa-2018-006

6.7 Medium

AI Score

Confidence

High

JSON