GHSA-x79j-wgqv-g8h2

Suggest an improvement
Source
https://github.com/advisories/GHSA-x79j-wgqv-g8h2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-x79j-wgqv-g8h2/GHSA-x79j-wgqv-g8h2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-x79j-wgqv-g8h2
Aliases
Published
2021-03-23T01:54:06Z
Modified
2024-02-16T08:19:29.414272Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C CVSS Calculator
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in typo3/cms-form
Details

Problem

It has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability.

Solution

Update to TYPO3 versions 10.4.14 or 11.1.1 that fix the problem described.

Credits

Thanks to Richie Lee who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue.

References

References

Affected packages

Packagist / typo3/cms-form

Package

Name
typo3/cms-form
Purl
pkg:composer/typo3/cms-form

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.2.0
Fixed
10.4.14

Affected versions

v10.*

v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9
v10.4.10
v10.4.11
v10.4.12
v10.4.13

Database specific

{
    "last_known_affected_version_range": "<= 10.4.13"
}

Packagist / typo3/cms-form

Package

Name
typo3/cms-form
Purl
pkg:composer/typo3/cms-form

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.1.1

Affected versions

v11.*

v11.0.0
v11.1.0

Database specific

{
    "last_known_affected_version_range": "<= 11.1.0"
}

Packagist / typo3/cms-core

Package

Name
typo3/cms-core
Purl
pkg:composer/typo3/cms-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.4.14

Affected versions

v10.*

v10.0.0
v10.1.0
v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9
v10.4.10
v10.4.11
v10.4.12
v10.4.13

Packagist / typo3/cms-core

Package

Name
typo3/cms-core
Purl
pkg:composer/typo3/cms-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.1.1

Affected versions

v11.*

v11.0.0
v11.1.0

Packagist / typo3/cms

Package

Name
typo3/cms
Purl
pkg:composer/typo3/cms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.4.14

Affected versions

v10.*

v10.0.0
v10.1.0
v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9
v10.4.10
v10.4.11
v10.4.12
v10.4.13

Packagist / typo3/cms

Package

Name
typo3/cms
Purl
pkg:composer/typo3/cms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.1.1

Affected versions

v11.*

v11.0.0
v11.1.0