GHSA-f3rf-v9qm-9c89

Source

https://github.com/advisories/GHSA-f3rf-v9qm-9c89

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-f3rf-v9qm-9c89/GHSA-f3rf-v9qm-9c89.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f3rf-v9qm-9c89

Aliases

CVE-2021-36787

Published

2021-09-01T18:36:51Z

Modified

2024-12-02T05:46:33.476266Z

Summary

Cross-site Scripting in the femanager TYPO3 extension

Details

The extension allows by default to upload SVG files when a logged in frontend user uploads a new profile image. This may lead to Cross-Site Scripting, when the uploaded SVG image is used as is on the website.

Note: If SVG uploads are required, it is recommended to use the TYPO3 extension svg_sanitizer (added to TYPO3 core since versions 9.5.28, 10.4.18 and 11.3.0) to prevent upload of malicious SVG files or to set up a strict Content Security Policy for the destination folder of uploaded images.

Database specific

{
    "nvd_published_at": "2021-08-13T17:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-30T18:35:42Z"
}

References

Affected packages

Packagist / in2code/femanager

Package

Name: in2code/femanager
Purl: pkg:composer/in2code/femanager

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.5.1

Affected versions

2.*

2.5.0

2.5.1

2.6.0

2.6.1

2.6.2

2.7.0

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.1.1

3.1.2

3.1.3

3.2.0

3.3.0

4.*

4.0.0

4.0.1

4.0.2

4.1.0

4.1.1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

5.*

5.0.0

5.1.0

5.1.1

5.2.0

5.3.0

5.3.1

5.4.0

5.4.1

5.4.2

5.5.0

Packagist / in2code/femanager

Package

Name: in2code/femanager
Purl: pkg:composer/in2code/femanager

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.3.1

Affected versions

6.*

6.0.0

6.0.1

6.1.0

6.1.1

6.1.2

6.2.0

6.2.1

6.3.0