GHSA-xjwx-78x7-q6jc

Source

https://github.com/advisories/GHSA-xjwx-78x7-q6jc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-xjwx-78x7-q6jc/GHSA-xjwx-78x7-q6jc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xjwx-78x7-q6jc

Aliases

CVE-2024-34355

Published

2024-05-14T20:13:02Z

Modified

2024-05-19T02:24:46.162763Z

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

TYPO3 vulnerable to an HTML Injection in the History Module

Details

Problem

The history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account.

Solution

Update to TYPO3 version 13.1.1 that fixes the problem described.

Credits

Thanks to TYPO3 core team member Andreas Kienast who reported this issue and to TYPO3 core & security team Benjamin Franzke who fixed the issue.

References

TYPO3-CORE-SA-2024-007

Database specific

{
    "nvd_published_at": "2024-05-14T16:17:24Z",
    "cwe_ids": [
        "CWE-116",
        "CWE-79"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T20:13:02Z"
}

References

Affected packages

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.0.0

Fixed

13.1.1

Affected versions

v13.*

v13.0.0

v13.0.1

v13.1.0

Database specific

{
    "last_known_affected_version_range": "<= 13.1.0"
}