3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
4.3 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.5%
The history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account.
Update to TYPO3 version 13.1.1 that fixes the problem described.
Thanks to TYPO3 core team member Andreas Kienast who reported this issue and to TYPO3 core & security team Benjamin Franzke who fixed the issue.
CPE | Name | Operator | Version |
---|---|---|---|
typo3/cms-core | eq | 13.1.0 | |
typo3/cms-core | eq | 13.0.1 | |
typo3/cms-core | eq | 13.0.0 |
3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
4.3 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.5%