- Release Date: January 22, 2019 (December 11, 2018 for ELTS)
- Vulnerability Type: Cross-Site Scripting
- Affected Versions: TYPO3 6.2.0 to 6.2.38 ELTS, TYPO3 7.0.0 to 7.1.0
- Severity: Medium
- Suggested CVSS v3.0: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C
- CVE: CVE-2020-8091
It has been discovered, that the third party component websvg is vulnerable to cross-site scripting. A browser with Flash plugin installed is needed in order to exploit this vulnerability.
Update to TYPO3 version 6.2.39 ELTS which fixes the problem described and removes the according file at typo3/contrib/websvg/svg.swf. The previous long term support versions TYPO3 v7.6.x were not affected anymore.
Thanks to Purplemet Security for reporting this issue.