TYPO3-CORE-SA-2019-019: Arbitrary Code Execution and Cross-Site Scripting in Backend API

Categories: Development Created by Andreas Fernandez
It has been discovered, that TYPO3 CMS is vulnerable to arbitrary code execution and cross-site scripting.

Problem Description

Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfig_includes is vulnerable to directory traversal leading to same scenarios as having direct access to TSconfig settings.

A valid backend user account having access to modify values for fields pages.TSconfig and pages.tsconfig_includes is needed in order to exploit this vulnerability.


Update to TYPO3 versions 8.7.27 or 9.5.8 that fix the problems described. Fields pages.TSconfig and pages.tsconfig_includes are denied of being modified by non-admin users.


Thanks to Benjamin Kott and Oliver Hader who reported this issue and to TYPO3 core team member Andreas Fernandez who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security related code changes are tagged so that you can easily look them up in our review system.