Fluid Attacks Database

Description

TYPO3 CMS Stored Cross-Site Scripting via FileDumpController

Meta

CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C (5.0)

Problem

It has been discovered that the FileDumpController (backend and frontend context) is vulnerable to cross-site scripting when malicious files are displayed using this component. A valid backend user account is needed to exploit this vulnerability.

Solution

Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above.

Credits

Thanks to Vautia who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue.

References

TYPO3-CORE-SA-2022-009

Vulnerability Report on huntr.dev (embargoed +30 days)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	typo3/cms-core	>=7.0.0 <7.6.58 \|\| >=8.0.0 <8.7.48 \|\| >=9.0.0 <9.5.37 \|\| >=10.0.0 <10.4.32 \|\| >=11.0.0 <11.5.16	7.6.58, 8.7.48, 9.5.37, 10.4.32, 11.5.16
packagist	typo3/cms	>=10.0.0 <10.4.32 \|\| >=11.0.0 <11.5.16	10.4.32, 11.5.16

Aliases

1. CVE-2022-361072. NVD-2022-361073. OSV-2022-361074. GHSA-9c6w-55cp-5w255. GCVE-2022-36107

References

1. https://github.com/TYPO3/typo3/security/advisories/GHSA-9c6w-55cp-5w252. https://github.com/TYPO3/typo3/commit/546208428c861a09d62b86cde141eb19a81fae663. https://github.com/TYPO3/typo3/commit/bd58d2ff2eeef89e63ef754a2389597d22622a394. https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36107.yaml5. https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36107.yaml6. https://typo3.org/security/advisory/typo3-core-sa-2022-009