- Component Type: TYPO3 CMS
- Vulnerable subcomponent: Frontend user login
- Release Date: December 11, 2018
- Vulnerability Type: Cross-Site Scripting
- Affected Versions: 7.0.0-7.6.31, 8.0.0-8.7.20 and 9.0.0-9.5.1
- Severity: Medium
- Suggested CVSS v3.0: AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
- CVE: not assigned yet
Problem Description
Failing to properly encode user input, login status display is vulnerable to cross-site scripting in the website frontend. A valid user account is needed in order to exploit this vulnerability - either a backend user or a frontend user having the possibility to modify their user profile.
Template patterns that are affected are
- ###FEUSER_[fieldName]### using system extension felogin
- <!--###USERNAME###--> for regular frontend rendering (pattern can be defined individually using TypoScript setting config.USERNAME_substToken)
Solution
Update to TYPO3 versions 7.6.32, 8.7.21 or 9.5.2 that fix the problem described.
Strong security defaults - Possible customization
Template patterns rendered with system extension felogin can be configured using TypoScript. In order to apply strong security defaults property htmlSpecialChars is enabled per default. Customizing the rendering process is possible by adjust according TypoScript settings in plugin.tx_felogin_pi1.userfields.fieldName.htmlSpecialChars
Credits
Thanks to Thomas Löffler who reported this issue and to TYPO3 core team member Benni Mack who fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look them up in our review system.