- Release Date: January 22, 2019 (December 11, 2018 for ELTS)
- Vulnerability Type: Cross-Site Scripting
- Affected Versions: TYPO3 6.2.0 to 6.2.38 ELTS, TYPO3 7.0.0 to 7.1.0
- Severity: Medium
- Suggested CVSS v3.0: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C
- CVE: CVE-2020-8091
Problem Description
It has been discovered, that the third party component websvg is vulnerable to cross-site scripting. A browser with Flash plugin installed is needed in order to exploit this vulnerability.
Solution
Update to TYPO3 version 6.2.39 ELTS which fixes the problem described and removes the according file at typo3/contrib/websvg/svg.swf. The previous long term support versions TYPO3 v7.6.x were not affected anymore.
Credits
Thanks to Purplemet Security for reporting this issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.