TYPO3 Cross-Site Scripting in Form Framework

2024-05-3016:16:16

Google

osv.dev

typo3

cross-site scripting

form framework

user input

frontend forms

6.9 Medium

AI Score

Confidence

High

JSON

Failing to properly encode user input, frontend forms handled by the form framework (system extension “form”) are vulnerable to cross-site scripting.

CPENameOperatorVersion
typo3/cms-coreeq8.7.9
typo3/cms-coreeq8.7.10
typo3/cms-coreeq8.7.20
typo3/cms-coreeq9.1.0
typo3/cms-coreeq8.7.13
typo3/cms-coreeq9.4.0
typo3/cms-coreeq9.3.3
typo3/cms-coreeq8.7.14
typo3/cms-coreeq8.7.15
typo3/cms-coreeq9.5.2

Name	Operator	Version
typo3/cms-core	eq	8.7.9
typo3/cms-core	eq	8.7.10
typo3/cms-core	eq	8.7.20
typo3/cms-core	eq	9.1.0
typo3/cms-core	eq	8.7.13
typo3/cms-core	eq	9.4.0
typo3/cms-core	eq	9.3.3
typo3/cms-core	eq	8.7.14
typo3/cms-core	eq	8.7.15
typo3/cms-core	eq	9.5.2

Rows per page:

1-10 of 291

References

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-01-22-6.yaml

github.com/TYPO3-CMS/core

github.com/TYPO3-CMS/core/commit/3b8b8b4416b921df4ccc7c5b4a8e9a069562be35

github.com/TYPO3-CMS/core/commit/a0e917008320e24c26780ba385fbfe738fcd45b9

typo3.org/security/advisory/typo3-core-sa-2019-007

6.9 Medium

AI Score

Confidence

High

JSON