Lucene search

GoogleOSV:GHSA-V6MW-H7W6-59W3

HistoryMay 14, 2024 - 8:13 p.m.

TYPO3 vulnerable to Cross-Site Scripting in the Form Manager Module

2024-05-1420:13:15

Google

osv.dev

typo3

form manager

cross-site scripting

update

security advisory

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

15.6%

JSON

Problem

The form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to the form module.

Solution

Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described.

Credits

Thanks to TYPO3 core & security team member Benjamin Franzke who reported and fixed the issue.

References

TYPO3-CORE-SA-2024-008

CPENameOperatorVersion
typo3/cms-coreeq10.4.34
typo3/cms-coreeq10.4.26
typo3/cms-coreeq12.4.6
typo3/cms-coreeq11.5.9
typo3/cms-coreeq11.5.21
typo3/cms-coreeq10.2.0
typo3/cms-coreeq9.5.5
typo3/cms-coreeq11.5.3
typo3/cms-coreeq12.4.7
typo3/cms-coreeq10.4.21

Name	Operator	Version
typo3/cms-core	eq	10.4.34
typo3/cms-core	eq	10.4.26
typo3/cms-core	eq	12.4.6
typo3/cms-core	eq	11.5.9
typo3/cms-core	eq	11.5.21
typo3/cms-core	eq	10.2.0
typo3/cms-core	eq	9.5.5
typo3/cms-core	eq	11.5.3
typo3/cms-core	eq	12.4.7
typo3/cms-core	eq	10.4.21

Rows per page:

1-10 of 1551