[typo3/cms-core] Cross-Site Scripting in Form Framework

Meta

CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C (4.9)

Problem

It has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability.

Solution

Update to TYPO3 versions 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above.

Credits

Thanks to Gabe Troyan who reported and fixed the issue.

References

TYPO3-CORE-SA-2022-003

References

https://github.com/TYPO3/typo3/security/advisories/GHSA-3r95-23jp-mhvg
https://nvd.nist.gov/vuln/detail/CVE-2022-31048
https://github.com/TYPO3/typo3/commit/6f2554dc4ea0b670fd5599c54fd788d4db96c4a0
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-31048.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31048.yaml
https://typo3.org/security/advisory/typo3-core-sa-2022-003
https://github.com/advisories/GHSA-3r95-23jp-mhvg

Underground News

[typo3/cms-core] Cross-Site Scripting in Form Framework

Meta

Problem

Solution

Credits

References

References

Archives