GitHub Advisory DatabaseGHSA-F3RF-V9QM-9C89Cross-site Scripting in the femanager TYPO3 extension
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
74.3%
The extension allows by default to upload SVG files when a logged in frontend user uploads a new profile image. This may lead to Cross-Site Scripting, when the uploaded SVG image is used as is on the website.
Note: If SVG uploads are required, it is recommended to use the TYPO3 extension svg_sanitizer (added to TYPO3 core since versions 9.5.28, 10.4.18 and 11.3.0) to prevent upload of malicious SVG files or to set up a strict Content Security Policy for the destination folder of uploaded images.
Affected configurations
References
packetstormsecurity.com/files/165675/TYPO3-femanager-6.3.0-Cross-Site-Scripting.html
seclists.org/fulldisclosure/2022/Jan/53
extensions.typo3.org/extension/femanager/
github.com/advisories/GHSA-f3rf-v9qm-9c89
github.com/in2code-de/femanager/commit/70f873c60f0e40ffd6a1300218ca368156fc1bf2
github.com/in2code-de/femanager/releases/tag/6.3.1
nvd.nist.gov/vuln/detail/CVE-2021-36787
typo3.org/help/security-advisories/security
typo3.org/security/advisory/typo3-ext-sa-2021-010
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
74.3%