GitHub Advisory DatabaseGHSA-XJWX-78X7-Q6JCTYPO3 vulnerable to an HTML Injection in the History Module
3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
4.2 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.5%
Problem
The history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account.
Solution
Update to TYPO3 version 13.1.1 that fixes the problem described.
Credits
Thanks to TYPO3 core team member Andreas Kienast who reported this issue and to TYPO3 core & security team Benjamin Franzke who fixed the issue.
References
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| typo3/cms-core | le | 13.1.0 |
Related
3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
4.2 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.5%