CVE-2022-36108

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-36108

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-36108.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-36108

Aliases

Published

2022-09-13T17:20:13Z

Modified

2026-05-19T11:55:37.466134841Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L CVSS Calculator

Summary

Cross-Site Scripting in typo3/cms-core

Details

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the f:asset.css view helper is vulnerable to cross-site scripting when user input is passed as variables to the CSS. Update to TYPO3 version 10.4.32 or 11.5.16 that fix the problem. There are no known workarounds for this issue.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36108.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/typo3/typo3

Affected ranges

Type: GIT
Repo: https://github.com/typo3/typo3
Events: Introduced

6a5e2d4097ef0a0e3ea955af93cf83810d6fa234

Fixed

bb2cf378b62703708a1d3d0ac84809db1831a839

Affected versions

v11.*

v11.0.0

v11.1.0

v11.2.0

v11.3.0

v11.4.0

v11.5.0

v11.5.1

v11.5.10

v11.5.11

v11.5.12

v11.5.13

v11.5.14

v11.5.15

v11.5.2

v11.5.3

v11.5.4

v11.5.5

v11.5.6

v11.5.7

v11.5.8

v11.5.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-36108.json"