CVE-2022-36108

Published: Sep 13, 2022Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the `f:asset.css` view helper is vulnerable to cross-site scripting when user input is passed as variables to the CSS. Update to TYPO3 version 10.4.32 or 11.5.16 that fix the problem. There are no known workarounds for this issue.

Affected (2)

Products: Typo3: Typo3

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Typo3 Typo3	From 10.0.0 to 10.4.31
Typo3 Typo3	From 11.0.0 to 11.5.15

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

https://github.com/TYPO3/typo3/commit/6863f73818c36b0b88c677ba533765c8074907b4

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/TYPO3/typo3/security/advisories/GHSA-fv2m-9249-qx85

Source: security-advisories@github.com

Third Party Advisory

https://typo3.org/security/advisory/typo3-core-sa-2022-010

Source: security-advisories@github.com

Vendor Advisory

https://github.com/TYPO3/typo3/commit/6863f73818c36b0b88c677ba533765c8074907b4

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/TYPO3/typo3/security/advisories/GHSA-fv2m-9249-qx85

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://typo3.org/security/advisory/typo3-core-sa-2022-010

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.