CVE-2020-11064

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-11064

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11064.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-11064

Aliases

Published

2020-05-13T23:15:11Z

Modified

2024-06-06T12:57:46.426519Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. This has been fixed in 9.5.17 and 10.4.2.

References

https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-43gj-mj2w-wh46

Affected packages

Git / github.com/typo3/typo3.cms

Affected ranges

Type: GIT
Repo: https://github.com/typo3/typo3.cms
Events: Introduced

c91b70e450c52d29ffb08115fffbb7832b15a330

Fixed

cf17e40087cd21faa6f9a12683631744d36f3f46

Affected versions

v10.*

v10.0.0

v10.1.0

v10.2.0

v10.3.0

v10.4.0

v10.4.1