CVE-2018-6905Cross-site Scripting in Typo3

CWE-79Cross-site Scripting4 documents4 sources
Severity
4.8MEDIUMNVD
EPSS
2.3%
top 15.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Typo3Typo3 CMS
Timeline
PublishedApr 8
Latest updateMay 14

Description

The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'], as demonstrated by an admin entering a crafted site name during the installation process.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

Packagisttypo3/cms< 9.2.0
NVDtypo3/typo39.0.09.1.0+1

Patches

Patch: forge.typo3.orgPatch: forge.typo3.org

🔴Vulnerability Details

3
GHSA
Typo3 XSS Vulnerability2022-05-14
OSV
Typo3 XSS Vulnerability2022-05-14
CVEList
CVE-2018-6905: The page module in TYPO3 before 82018-04-08
CVE-2018-6905 — Cross-site Scripting in Typo3 | cvebase