Lucene search
GoogleOSV:GHSA-8C25-VJ2W-P72JHistoryMay 30, 2024 - 2:59 p.m.
TYPO3 Cross-Site Scripting in Frontend User Login
2024-05-3014:59:25
Google
osv.dev
1
typo3
frontend
cross-site scripting
user input
login status display
vulnerability
website
user profile
system extension
felogin
typoscript
software
6.4 Medium
AI Score
Confidence
High
Failing to properly encode user input, login status display is vulnerable to cross-site scripting in the website frontend. A valid user account is needed in order to exploit this vulnerability - either a backend user or a frontend user having the possibility to modify their user profile.
Template patterns that are affected are
- ###FEUSER_[fieldName]### using system extension felogin
- for regular frontend rendering (pattern can be defined individually using TypoScript setting config.USERNAME_substToken)
6.4 Medium
AI Score
Confidence
High