TYPO3 Cross-Site Scripting in Link Handling

2024-06-0717:16:53

Google

osv.dev

typo3

cross-site scripting

link handling

url handling

typolink

backend

frontend extensions

vulnerable

6.7 Medium

AI Score

Confidence

High

JSON

It has been discovered that t3:// URL handling and typolink functionality are vulnerable to cross-site scripting. Not only regular backend forms are affected but also frontend extensions which use the rendering with typolink.

CPENameOperatorVersion
typo3/cmseq8.7.24
typo3/cmseq9.3.3
typo3/cmseq8.7.12
typo3/cmseq8.6.1
typo3/cmseq9.1.0
typo3/cmseq10.2.0
typo3/cmseq8.4.1
typo3/cmseq8.1.2
typo3/cmseq8.7.21
typo3/cmseq8.3.0

Name	Operator	Version
typo3/cms	eq	8.7.24
typo3/cms	eq	9.3.3
typo3/cms	eq	8.7.12
typo3/cms	eq	8.6.1
typo3/cms	eq	9.1.0
typo3/cms	eq	10.2.0
typo3/cms	eq	8.4.1
typo3/cms	eq	8.1.2
typo3/cms	eq	8.7.21
typo3/cms	eq	8.3.0

Rows per page:

1-10 of 691

References

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-12-17-2.yaml

github.com/TYPO3/typo3

github.com/TYPO3/typo3/commit/25f796b94e23bac77e836bd38f53ce998c094901

github.com/TYPO3/typo3/commit/64db88b9b61bb67b3b44145dc8e0e1ef251da45e

github.com/TYPO3/typo3/commit/a35c42e9bcb020e16016d1c146354513a9856bc0

typo3.org/security/advisory/typo3-core-sa-2019-022

6.7 Medium

AI Score

Confidence

High

JSON