Skip to content

Cross-Site Scripting in Form Manager Module

Moderate
ohader published GHSA-v6mw-h7w6-59w3 May 14, 2024

Package

composer typo3/cms-core (Composer)

Affected versions

9.0.0-9.5.47, 10.0.0-10.4.44, 11.0.0-11.5.36, 12.0.0-12.4.14, 13.0.0-13.1.0

Patched versions

9.5.48, 10.4.45, 11.5.37, 12.4.15, 13.1.1

Description

Problem

The form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to the form module.

Solution

Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described.

Credits

Thanks to TYPO3 core & security team member Benjamin Franzke who reported and fixed the issue.

References

Severity

Moderate
5.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE ID

CVE-2024-34356

Weaknesses

Credits

  • @bnf bnf Remediation developer