TYPO3-FLOW-SA-2013-001: Cross-Site Scripting in TYPO3 Flow

December 10, 2013

Category: TYPO3 Flow
Author: Helmut Hummel
Keywords: TYPO3 Flow, Cross-Site Scripting

It has been discovered that TYPO3 Flow is susceptible to Cross-Site Scripting.

Component Type: TYPO3 Flow

Affected Versions: 1.1.0, 2.0.0 and current development branch.

Release Date: December 10, 2013

Vulnerability Type: Cross-Site Scripting

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C (What's that?)

CVE: CVE-2013-7082

Problem Description: The errorAction method in the ActionController base class of Flow returns error messages without properly encoding them. Because these error messages can contain user input, this could lead to a Cross-Site Scripting vulnerability in Flow driven applications.

Hint: If you have customized the error action in your Flow application, we advice you to check that the error messages returned in these actions only contain static strings and are not derived from any kind of user input. If you are not sure whether your code is fine in that regard, feel free to ask on a public mailing list or the forum.

Solution: Update to Flow Versions 1.1.1 or 2.0.1 which fix the problem described!

Note: The same problem applies to the Extbase Framework in TYPO3. Read the according advisory TYPO3-CORE-SA-2013-004 for more information.

General Advice: Please subscribe to the typo3-announce mailing list.