CVE-2022-36107

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-36107
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-36107.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-36107
Aliases
Published
2022-09-13T17:30:13Z
Modified
2026-04-10T04:49:15.290354Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L CVSS Calculator
Summary
Stored Cross-Site Scripting via FileDumpController
Details

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the FileDumpController (backend and frontend context) is vulnerable to cross-site scripting when malicious files are displayed using this component. A valid backend user account is needed to exploit this vulnerability. Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem. There are no known workarounds for this issue.

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36107.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/typo3/typo3

Affected ranges

Type
GIT
Repo
https://github.com/typo3/typo3
Events
Introduced
c91b70e450c52d29ffb08115fffbb7832b15a330
Fixed
1a3a7c13e830700f43bd7425ffb8302a3d4c7056
Database specific 
{
    "versions": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.4.32"
        }
    ]
}
Type
GIT
Repo
https://github.com/typo3/typo3
Events
Introduced
6a5e2d4097ef0a0e3ea955af93cf83810d6fa234
Fixed
bb2cf378b62703708a1d3d0ac84809db1831a839
Database specific 
{
    "versions": [
        {
            "introduced": "11.0.0"
        },
        {
            "fixed": "11.5.16"
        }
    ]
}

Affected versions

v10.*
v10.0.0
v10.1.0
v10.2.0
v10.3.0
v10.4.0
v10.4.1
v10.4.10
v10.4.11
v10.4.12
v10.4.13
v10.4.14
v10.4.15
v10.4.16
v10.4.17
v10.4.18
v10.4.19
v10.4.2
v10.4.20
v10.4.21
v10.4.22
v10.4.23
v10.4.24
v10.4.25
v10.4.26
v10.4.27
v10.4.28
v10.4.29
v10.4.3
v10.4.30
v10.4.31
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9
v11.*
v11.0.0
v11.1.0
v11.2.0
v11.3.0
v11.4.0
v11.5.0
v11.5.1
v11.5.10
v11.5.11
v11.5.12
v11.5.13
v11.5.14
v11.5.15
v11.5.2
v11.5.3
v11.5.4
v11.5.5
v11.5.6
v11.5.7
v11.5.8
v11.5.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-36107.json"

Git / github.com/typo3/typo3.cms

Affected ranges

Type
GIT
Repo
https://github.com/typo3/typo3.cms
Events
Introduced
c91b70e450c52d29ffb08115fffbb7832b15a330
Last affected
bc74379650b09c87a4978220076dcfcb7090b285
Introduced
6a5e2d4097ef0a0e3ea955af93cf83810d6fa234
Last affected
54ef8ceea343262012d800b0072b8b1a6aece1d5
Database specific 
{
    "versions": [
        {
            "introduced": "10.0.0"
        },
        {
            "last_affected": "10.4.31"
        },
        {
            "introduced": "11.0.0"
        },
        {
            "last_affected": "11.5.15"
        }
    ]
}

Affected versions

v10.*
v10.0.0
v10.1.0
v10.2.0
v10.3.0
v10.4.0
v10.4.1
v10.4.10
v10.4.11
v10.4.12
v10.4.13
v10.4.14
v10.4.15
v10.4.16
v10.4.17
v10.4.18
v10.4.19
v10.4.2
v10.4.20
v10.4.21
v10.4.22
v10.4.23
v10.4.24
v10.4.25
v10.4.26
v10.4.27
v10.4.28
v10.4.29
v10.4.3
v10.4.30
v10.4.31
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9
v11.*
v11.0.0
v11.1.0
v11.2.0
v11.3.0
v11.4.0
v11.5.0
v11.5.1
v11.5.10
v11.5.11
v11.5.12
v11.5.13
v11.5.14
v11.5.15
v11.5.2
v11.5.3
v11.5.4
v11.5.5
v11.5.6
v11.5.7
v11.5.8
v11.5.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-36107.json"