- Component Type: TYPO3 CMS
- Vulnerable subcomponent: Frontend user login
- Release Date: December 11, 2018
- Vulnerability Type: Cross-Site Scripting
- Affected Versions: 7.0.0-7.6.31, 8.0.0-8.7.20 and 9.0.0-9.5.1
- Severity: Medium
- Suggested CVSS v3.0: AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
- CVE: not assigned yet
Failing to properly encode user input, login status display is vulnerable to cross-site scripting in the website frontend. A valid user account is needed in order to exploit this vulnerability - either a backend user or a frontend user having the possibility to modify their user profile.
Template patterns that are affected are
- ###FEUSER_[fieldName]### using system extension felogin
- <!--###USERNAME###--> for regular frontend rendering (pattern can be defined individually using TypoScript setting config.USERNAME_substToken)
Update to TYPO3 versions 7.6.32, 8.7.21 or 9.5.2 that fix the problem described.
Strong security defaults - Possible customization
Template patterns rendered with system extension felogin can be configured using TypoScript. In order to apply strong security defaults property htmlSpecialChars is enabled per default. Customizing the rendering process is possible by adjust according TypoScript settings in plugin.tx_felogin_pi1.userfields.fieldName.htmlSpecialChars
Thanks to Thomas Löffler who reported this issue and to TYPO3 core team member Benni Mack who fixed the issue.
All security related code changes are tagged so that you can easily look them up in our review system.