Skip to content

Cross-Site Scripting in TYPO3 CMS Link Handling

Moderate severity GitHub Reviewed Published May 12, 2020 in TYPO3/typo3 • Updated Feb 5, 2024

Package

composer typo3/cms (Composer)

Affected versions

>= 10.0.0, < 10.4.2
>= 9.0.0, < 9.5.17

Patched versions

10.4.2
9.5.17
composer typo3/cms-core (Composer)
>= 10.0.0, < 10.4.2
>= 9.0.0, < 9.5.17
10.4.2
9.5.17

Description

It has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting - properties being assigned as HTML attributes have not been parsed correctly.

Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described.

References

References

@ohader ohader published to TYPO3/typo3 May 12, 2020
Reviewed May 13, 2020
Published to the GitHub Advisory Database May 13, 2020
Last updated Feb 5, 2024

Severity

Moderate
5.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2020-11065

GHSA ID

GHSA-4j77-gg36-9864

Source code

No known source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.