TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the `f:asset.css` view helper is vulnerable to cross-site scripting when user input is passed as variables to the CSS. Update to TYPO3 version 10.4.32 or 11.5.16 that fix the problem. There are no known workarounds for this issue.
References
Link | Resource |
---|---|
https://github.com/TYPO3/typo3/commit/6863f73818c36b0b88c677ba533765c8074907b4 | Patch Third Party Advisory |
https://github.com/TYPO3/typo3/security/advisories/GHSA-fv2m-9249-qx85 | Third Party Advisory |
https://typo3.org/security/advisory/typo3-core-sa-2022-010 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
16 Sep 2022, 14:25
Type | Values Removed | Values Added |
---|---|---|
First Time |
Typo3
Typo3 typo3 |
|
CPE | cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:* | |
References | (MISC) https://typo3.org/security/advisory/typo3-core-sa-2022-010 - Vendor Advisory | |
References | (MISC) https://github.com/TYPO3/typo3/commit/6863f73818c36b0b88c677ba533765c8074907b4 - Patch, Third Party Advisory | |
References | (CONFIRM) https://github.com/TYPO3/typo3/security/advisories/GHSA-fv2m-9249-qx85 - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
13 Sep 2022, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-09-13 18:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-36108
Mitre link : CVE-2022-36108
CVE.ORG link : CVE-2022-36108
JSON object : View
Products Affected
typo3
- typo3
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')