Skip to content

Cross-Site Scripting in Query Generator & Query View

Moderate
ohader published GHSA-6mh3-j5r5-2379 Jul 20, 2021

Package

composer typo3/cms-core (Composer)

Affected versions

8.0.0-8.7.40, 9.0.0-9.5.27, 10.0.0-10.4.17, 11.0.0-11.3.0

Patched versions

8.7.41, 9.5.28, 10.4.18, 11.3.1

Description

Meta

  • CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C (4.5)

Problem

Failing to properly encode error messages, the components QueryGenerator and QueryView are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability.

Solution

Update to TYPO3 versions 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described.

Credits

Thanks to Richie Lee who reported this issue and to TYPO3 security team member Oliver Hader who fixed the issue.

References

Severity

Moderate

CVE ID

CVE-2021-32668

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

Credits