Component Type: TYPO3 CMS
Release Date: July 1, 2015
Vulnerable subcomponent: Link Handling (ext:frontend), Filelist Module (ext:filelist, ext:core)
Vulnerability Type: Cross-Site Scripting
Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C
CVE: not assigned yet
Problem Description: It has been discovered that link tags generated by typolink functionality in the website's frontend are vulnerable to cross-site scripting - values being assigned to HTML attributes have not been parsed correctly. A valid backend user account is needed to exploit this vulnerability.
As second and separate vulnerability in the filelist module of the backend user interface has been referenced with this advisory as well. Error messages being shown after using a malicious name for renaming a file are not propery encoded, thus vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability.
Solution: Update to TYPO3 versions 6.2.14 or 7.3.1 that fix the problem described.
Credits: Thanks to Marc Bastian Heinrichs who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.
Document Updates:
- 2020-10-06 by Oliver Hader: changed vulnerable componet from "backend" to "frontend", adjusted severity from "low" to "medium", refined problem description