GHSA-43gj-mj2w-wh46
Suggest an improvement- Source
- https://github.com/advisories/GHSA-43gj-mj2w-wh46
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-43gj-mj2w-wh46/GHSA-43gj-mj2w-wh46.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-43gj-mj2w-wh46
- Aliases
- Published
- 2020-05-13T23:17:48Z
- Modified
- 2024-02-16T08:00:14.635787Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Cross-Site Scripting in TYPO3 CMS Form Engine
- Details
-
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML
placeholderattributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability.Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described.
References
- https://typo3.org/security/advisory/typo3-core-sa-2020-002
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-05-13T22:54:40Z" }- References
-
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-43gj-mj2w-wh46
- https://nvd.nist.gov/vuln/detail/CVE-2020-11064
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11064.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11064.yaml
- https://typo3.org/security/advisory/typo3-core-sa-2020-002
Affected packages
Packagist / typo3/cms-core
Package
- Name
- typo3/cms-core
- Purl
- pkg:composer/typo3/cms-core
Packagist / typo3/cms-core
Package
- Name
- typo3/cms-core
- Purl
- pkg:composer/typo3/cms-core
Packagist / typo3/cms
Package
- Name
- typo3/cms
- Purl
- pkg:composer/typo3/cms
Packagist / typo3/cms
Package
- Name
- typo3/cms
- Purl
- pkg:composer/typo3/cms