GHSA-fjh3-g8gq-9q92

Source

https://github.com/advisories/GHSA-fjh3-g8gq-9q92

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-fjh3-g8gq-9q92/GHSA-fjh3-g8gq-9q92.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fjh3-g8gq-9q92

Aliases

Published

2021-03-23T01:53:47Z

Modified

2024-02-16T08:11:34.680931Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Cross-Site Scripting in Content Preview

Details

Problem

It has been discovered that database fields used as descriptionColumn are vulnerable to cross-site scripting when their content gets previewed in the page module. A valid backend user account is needed to exploit this vulnerability.

Solution

Update to TYPO3 versions 10.4.14, 11.1.1 that fix the problem described.

Credits

Thanks to Richie Lee who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue.

References

TYPO3-CORE-SA-2021-007

Database specific

{
    "nvd_published_at": "2021-03-23T02:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-23T01:41:27Z"
}

References

Affected packages

Packagist / typo3/cms-backend

Package

Name: typo3/cms-backend
Purl: pkg:composer/typo3/cms-backend

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0

Fixed

10.4.14

Affected versions

v10.*

v10.0.0

v10.1.0

v10.2.0

v10.2.1

v10.2.2

v10.3.0

v10.4.0

v10.4.1

v10.4.2

v10.4.3

v10.4.4

v10.4.5

v10.4.6

v10.4.7

v10.4.8

v10.4.9

v10.4.10

v10.4.11

v10.4.12

v10.4.13

Database specific

{
    "last_known_affected_version_range": "<= 10.4.13"
}

Packagist / typo3/cms-backend

Package

Name: typo3/cms-backend
Purl: pkg:composer/typo3/cms-backend

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

11.1.1

Affected versions

v11.*

v11.0.0

v11.1.0

Database specific

{
    "last_known_affected_version_range": "<= 11.1.0"
}

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0

Fixed

10.4.14

Affected versions

v10.*

v10.0.0

v10.1.0

v10.2.0

v10.2.1

v10.2.2

v10.3.0

v10.4.0

v10.4.1

v10.4.2

v10.4.3

v10.4.4

v10.4.5

v10.4.6

v10.4.7

v10.4.8

v10.4.9

v10.4.10

v10.4.11

v10.4.12

v10.4.13

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

11.1.1

Affected versions

v11.*

v11.0.0

v11.1.0

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0

Fixed

10.4.14

Affected versions

v10.*

v10.0.0

v10.1.0

v10.2.0

v10.2.1

v10.2.2

v10.3.0

v10.4.0

v10.4.1

v10.4.2

v10.4.3

v10.4.4

v10.4.5

v10.4.6

v10.4.7

v10.4.8

v10.4.9

v10.4.10

v10.4.11

v10.4.12

v10.4.13

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

11.1.1

Affected versions

v11.*

v11.0.0

v11.1.0