TYPO3-CORE-SA-2018-008: Cross-Site Scripting in Frontend User Login

Categories: Development Created by Oliver Hader
It has been discovered, that TYPO3 CMS is vulnerable to cross-site scripting.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Frontend user login
  • Release Date: December 11, 2018
  • Vulnerability Type: Cross-Site Scripting
  • Affected Versions: 7.0.0-7.6.31, 8.0.0-8.7.20 and 9.0.0-9.5.1
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet

Problem Description

Failing to properly encode user input, login status display is vulnerable to cross-site scripting in the website frontend. A valid user account is needed in order to exploit this vulnerability - either a backend user or a frontend user having the possibility to modify their user profile.

Template patterns that are affected are

  • ###FEUSER_[fieldName]### using system extension felogin
  • <!--###USERNAME###--> for regular frontend rendering (pattern can be defined individually using TypoScript setting config.USERNAME_substToken)
     

Solution

Update to TYPO3 versions 7.6.32, 8.7.21 or 9.5.2 that fix the problem described.

Strong security defaults - Possible customization

Template patterns rendered with system extension felogin can be configured using TypoScript. In order to apply strong security defaults property htmlSpecialChars is enabled per default. Customizing the rendering process is possible by adjust according TypoScript settings in plugin.tx_felogin_pi1.userfields.fieldName.htmlSpecialChars

Credits

Thanks to Thomas Löffler who reported this issue and to TYPO3 core team member Benni Mack who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security related code changes are tagged so that you can easily look them up in our review system.