Meta
- CVSS:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC
(5.7)
Failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser do not consider all potentially malicious HTML tag & attribute combinations per default.
In addition, the lack of comprehensive default node configuration for rich-text fields in the backend user interface fosters this malfunction.
In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required.
Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described above.
Custom package typo3/html-sanitizer - based on allow-lists only - takes care of sanitizing potentially malicious markup. The default behavior is based on safe and commonly used markup - however, this can be extended or restricted further in case it is necessary for individual scenarios.
During the frontend rendering process, sanitization is applied to the default TypoScript path lib.parseFunc
, which is implicitly used by the Fluid view-helper instruction f:format.html
. Rich-text data persisted using the backend user interface is sanitized as well. Implementation details are explained in corresponding ChangeLog documentation.
Thanks to Benjamin Stiber, Gert-Jan Jansma, Gábor Ács-Kurucz, Alexander Kellner, Richie Lee, Nina Rösch who reported this issue, and to TYPO3 security team member Oliver Hader, as well as TYPO3 contributor Susanne Moog who fixed the issue.
{ "nvd_published_at": "2021-08-10T17:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-08-16T22:38:47Z" }