logo

Database

Reflected cross-site scripting (XSS) In typo3/cms

Description

Cross-Site Scripting in TYPO3 CMS Link Handling It has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting - properties being assigned as HTML attributes have not been parsed correctly.

Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described.

References

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2020-110652. NVD-2020-110653. OSV-2020-110654. GHSA-4j77-gg36-98645. GCVE-2020-11065

References

1. https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4j77-gg36-98642. https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11065.yaml3. https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11065.yaml4. https://typo3.org/security/advisory/typo3-core-sa-2020-003

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.