TYPO3 Cross-Site Scripting in Link Handling

2024-06-0717:16:53

CWE-79

GitHub Advisory Database

github.com

typo3

cross-site scripting

link handling

url

typolink

backend

frontend

extensions

rendering

6.7 Medium

AI Score

Confidence

High

JSON

It has been discovered that t3:// URL handling and typolink functionality are vulnerable to cross-site scripting. Not only regular backend forms are affected but also frontend extensions which use the rendering with typolink.

Affected configurations

Vulners

Node

typo3cms_poll_system_extensionRange<9.5.12

typo3cms_poll_system_extensionRange<8.7.30

typo3cms_poll_system_extensionRange<10.2.1

CPENameOperatorVersion
typo3/cmslt9.5.12
typo3/cmslt8.7.30
typo3/cmslt10.2.1

Name	Operator	Version
typo3/cms	lt	9.5.12
typo3/cms	lt	8.7.30
typo3/cms	lt	10.2.1

References

github.com/advisories/GHSA-xgmx-j3hv-jh9x

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-12-17-2.yaml

github.com/TYPO3/typo3/commit/25f796b94e23bac77e836bd38f53ce998c094901

github.com/TYPO3/typo3/commit/64db88b9b61bb67b3b44145dc8e0e1ef251da45e

github.com/TYPO3/typo3/commit/a35c42e9bcb020e16016d1c146354513a9856bc0

typo3.org/security/advisory/typo3-core-sa-2019-022

6.7 Medium

AI Score

Confidence

High

JSON