GHSA-4j77-gg36-9864

Опубликовано: 13 мая 2020

Источник: github

Github: Прошло ревью

CVSS3: 5.4

Описание

Cross-Site Scripting in TYPO3 CMS Link Handling

It has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting - properties being assigned as HTML attributes have not been parsed correctly.

Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described.

References

https://typo3.org/security/advisory/typo3-core-sa-2020-003

Ссылки

Пакеты

Наименование

typo3/cms-core

composer

Затронутые версииВерсия исправления

>= 10.0.0, < 10.4.2

10.4.2

Наименование

typo3/cms-core

composer

Затронутые версииВерсия исправления

>= 9.0.0, < 9.5.17

9.5.17

Наименование

typo3/cms

composer

Затронутые версииВерсия исправления

>= 10.0.0, < 10.4.2

10.4.2

Наименование

typo3/cms

composer

Затронутые версииВерсия исправления

>= 9.0.0, < 9.5.17

9.5.17

EPSS

Процентиль: 43%

0.00206

Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2020-11065

Дефекты

CWE-79

Связанные уязвимости

CVE-2020-11065

CVSS3: 5.4

nvd

больше 5 лет назад

In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly. This has been fixed in 9.5.17 and 10.4.2.

EPSS

Процентиль: 43%

0.00206

Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2020-11065

Дефекты

CWE-79