- Component Type: TYPO3 CMS
- Vulnerable subcomponent: Backend API (ext:backend)
- Release Date: June, 25th
- Vulnerability Type: Arbitrary Code Execution, Cross-Site Scripting
- Affected Versions: 8.0.0-8.7.26 and 9.0.0-9.5.7
- Severity: Medium
- Suggested CVSS v3.0: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:H/MUI:X/MS:X/MC:X/MI:X/MA:X
- CVE: not assigned yet
Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfig_includes is vulnerable to directory traversal leading to same scenarios as having direct access to TSconfig settings.
A valid backend user account having access to modify values for fields pages.TSconfig and pages.tsconfig_includes is needed in order to exploit this vulnerability.
Update to TYPO3 versions 8.7.27 or 9.5.8 that fix the problems described. Fields pages.TSconfig and pages.tsconfig_includes are denied of being modified by non-admin users.
Thanks to Benjamin Kott and Oliver Hader who reported this issue and to TYPO3 core team member Andreas Fernandez who fixed the issue.
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
All security related code changes are tagged so that you can easily look them up in our review system.