TYPO3-PSA-2019-003: Cross-Site Scripting in Flash component (ELTS)

Categories: Development
It has been discovered, that TYPO3 CMS is vulnerable to cross-site scripting.
  • Release Date: January 22, 2019 (December 11, 2018 for ELTS)
  • Vulnerability Type: Cross-Site Scripting
  • Affected Versions: TYPO3 6.2.0 to 6.2.38 ELTS, TYPO3 7.0.0 to 7.1.0
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: not assigned yet

Problem Description

It has been discovered, that the third party component websvg is vulnerable to cross-site scripting. A browser with Flash plugin installed is needed in order to exploit this vulnerability.

Solution

Update to TYPO3 version 6.2.39 ELTS which fixes the problem described and removes the according file at typo3/contrib/websvg/svg.swf. The previous long term support versions TYPO3 v7.6.x were not affected anymore.

Credits

Thanks to Purplemet Security for reporting this issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.