GHSA-x79j-wgqv-g8h2

Source

https://github.com/advisories/GHSA-x79j-wgqv-g8h2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-x79j-wgqv-g8h2/GHSA-x79j-wgqv-g8h2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x79j-wgqv-g8h2

Aliases

Published

2021-03-23T01:54:06Z

Modified

2024-02-16T08:19:29.414272Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C CVSS Calculator

Summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in typo3/cms-form

Details

Problem

It has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability.

Solution

Update to TYPO3 versions 10.4.14 or 11.1.1 that fix the problem described.

Credits

Thanks to Richie Lee who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue.

References

TYPO3-CORE-SA-2021-004

Database specific

{
    "nvd_published_at": "2021-03-23T02:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-23T01:42:00Z"
}

References

Affected packages

Packagist / typo3/cms-form

Package

Name: typo3/cms-form
Purl: pkg:composer/typo3/cms-form

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.2.0

Fixed

10.4.14

Affected versions

v10.*

v10.2.0

v10.2.1

v10.2.2

v10.3.0

v10.4.0

v10.4.1

v10.4.2

v10.4.3

v10.4.4

v10.4.5

v10.4.6

v10.4.7

v10.4.8

v10.4.9

v10.4.10

v10.4.11

v10.4.12

v10.4.13

Database specific

{
    "last_known_affected_version_range": "<= 10.4.13"
}

Packagist / typo3/cms-form

Package

Name: typo3/cms-form
Purl: pkg:composer/typo3/cms-form

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

11.1.1

Affected versions

v11.*

v11.0.0

v11.1.0

Database specific

{
    "last_known_affected_version_range": "<= 11.1.0"
}

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0

Fixed

10.4.14

Affected versions

v10.*

v10.0.0

v10.1.0

v10.2.0

v10.2.1

v10.2.2

v10.3.0

v10.4.0

v10.4.1

v10.4.2

v10.4.3

v10.4.4

v10.4.5

v10.4.6

v10.4.7

v10.4.8

v10.4.9

v10.4.10

v10.4.11

v10.4.12

v10.4.13

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

11.1.1

Affected versions

v11.*

v11.0.0

v11.1.0

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0

Fixed

10.4.14

Affected versions

v10.*

v10.0.0

v10.1.0

v10.2.0

v10.2.1

v10.2.2

v10.3.0

v10.4.0

v10.4.1

v10.4.2

v10.4.3

v10.4.4

v10.4.5

v10.4.6

v10.4.7

v10.4.8

v10.4.9

v10.4.10

v10.4.11

v10.4.12

v10.4.13

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

11.1.1

Affected versions

v11.*

v11.0.0

v11.1.0