[typo3/cms-core] Cross-Site Scripting in Frontend Login Mailer

Meta

CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C (4.9)

Problem

User submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages.

Solution

Update to TYPO3 versions 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above.

Credits

Thanks to Christian Seifert who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue.

References

TYPO3-CORE-SA-2022-004

References

https://github.com/TYPO3/typo3/security/advisories/GHSA-h4mx-xv96-2jgm
https://nvd.nist.gov/vuln/detail/CVE-2022-31049
https://github.com/TYPO3/typo3/commit/da611775f92102d7602713003f4c79606c8a445d
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-31049.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31049.yaml
https://typo3.org/security/advisory/typo3-core-sa-2022-004
https://github.com/advisories/GHSA-h4mx-xv96-2jgm

Underground News

[typo3/cms-core] Cross-Site Scripting in Frontend Login Mailer

Meta

Problem

Solution

Credits

References

References

Archives