GHSA-fjh3-g8gq-9q92

Suggest an improvement
Source
https://github.com/advisories/GHSA-fjh3-g8gq-9q92
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-fjh3-g8gq-9q92/GHSA-fjh3-g8gq-9q92.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-fjh3-g8gq-9q92
Aliases
Published
2021-03-23T01:53:47Z
Modified
2024-02-02T17:01:29.189388Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Cross-Site Scripting in Content Preview
Details

Problem

It has been discovered that database fields used as descriptionColumn are vulnerable to cross-site scripting when their content gets previewed in the page module. A valid backend user account is needed to exploit this vulnerability.

Solution

Update to TYPO3 versions 10.4.14, 11.1.1 that fix the problem described.

Credits

Thanks to Richie Lee who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue.

References

Database specific
{
    "nvd_published_at": "2021-03-23T02:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-23T01:41:27Z"
}
References

Affected packages

Packagist / typo3/cms-backend

Package

Name
typo3/cms-backend
Purl
pkg:composer/typo3/cms-backend

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.4.14

Affected versions

v10.*

v10.0.0
v10.1.0
v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9
v10.4.10
v10.4.11
v10.4.12
v10.4.13

Database specific

{
    "last_known_affected_version_range": "<= 10.4.13"
}

Packagist / typo3/cms-backend

Package

Name
typo3/cms-backend
Purl
pkg:composer/typo3/cms-backend

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.1.1

Affected versions

v11.*

v11.0.0
v11.1.0

Database specific

{
    "last_known_affected_version_range": "<= 11.1.0"
}

Packagist / typo3/cms-core

Package

Name
typo3/cms-core
Purl
pkg:composer/typo3/cms-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.4.14

Affected versions

v10.*

v10.0.0
v10.1.0
v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9
v10.4.10
v10.4.11
v10.4.12
v10.4.13

Packagist / typo3/cms-core

Package

Name
typo3/cms-core
Purl
pkg:composer/typo3/cms-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.1.1

Affected versions

v11.*

v11.0.0
v11.1.0

Packagist / typo3/cms

Package

Name
typo3/cms
Purl
pkg:composer/typo3/cms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.4.14

Affected versions

v10.*

v10.0.0
v10.1.0
v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9
v10.4.10
v10.4.11
v10.4.12
v10.4.13

Packagist / typo3/cms

Package

Name
typo3/cms
Purl
pkg:composer/typo3/cms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.1.1

Affected versions

v11.*

v11.0.0
v11.1.0