TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the `FileDumpController` (backend and frontend context) is vulnerable to cross-site scripting when malicious files are displayed using this component. A valid backend user account is needed to exploit this vulnerability. Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem. There are no known workarounds for this issue.
References
Link | Resource |
---|---|
https://github.com/TYPO3/typo3/commit/bd58d2ff2eeef89e63ef754a2389597d22622a39 | Patch Third Party Advisory |
https://github.com/TYPO3/typo3/security/advisories/GHSA-9c6w-55cp-5w25 | Third Party Advisory |
https://typo3.org/security/advisory/typo3-core-sa-2022-009 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
16 Sep 2022, 14:24
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://typo3.org/security/advisory/typo3-core-sa-2022-009 - Vendor Advisory | |
References | (CONFIRM) https://github.com/TYPO3/typo3/security/advisories/GHSA-9c6w-55cp-5w25 - Third Party Advisory | |
References | (MISC) https://github.com/TYPO3/typo3/commit/bd58d2ff2eeef89e63ef754a2389597d22622a39 - Patch, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
CPE | cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:* | |
First Time |
Typo3
Typo3 typo3 |
13 Sep 2022, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-09-13 18:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-36107
Mitre link : CVE-2022-36107
CVE.ORG link : CVE-2022-36107
JSON object : View
Products Affected
typo3
- typo3
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')