TYPO3-CORE-SA-2015-004: Cross-Site Scripting in Link Handling & File List

Categories: TYPO3 CMS Created by Helmut Hummel
It has been discovered, that TYPO3 is vulnerable to Cross-Site Scripting.

Component Type: TYPO3 CMS

Release Date: July 1, 2015

Vulnerable subcomponent: Link Handling (ext:frontend), Filelist Module (ext:filelist, ext:core)

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C

CVE: not assigned yet

Problem Description: It has been discovered that link tags generated by typolink functionality in the website's frontend are vulnerable to cross-site scripting - values being assigned to HTML attributes have not been parsed correctly. A valid backend user account is needed to exploit this vulnerability.

As second and separate vulnerability in the filelist module of the backend user interface has been referenced with this advisory as well. Error messages being shown after using a malicious name for renaming a file are not propery encoded, thus vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability.

Solution: Update to TYPO3 versions 6.2.14 or 7.3.1 that fix the problem described.

Credits: Thanks to Marc Bastian Heinrichs who discovered and reported the issue.

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Document Updates:

  • 2020-10-06 by Oliver Hader: changed vulnerable componet from "backend" to "frontend", adjusted severity from "low" to "medium", refined problem description