Описание
Cross-site Scripting in the femanager TYPO3 extension
The extension allows by default to upload SVG files when a logged in frontend user uploads a new profile image. This may lead to Cross-Site Scripting, when the uploaded SVG image is used as is on the website.
Note: If SVG uploads are required, it is recommended to use the TYPO3 extension svg_sanitizer (added to TYPO3 core since versions 9.5.28, 10.4.18 and 11.3.0) to prevent upload of malicious SVG files or to set up a strict Content Security Policy for the destination folder of uploaded images.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2021-36787
- https://github.com/in2code-de/femanager/commit/70f873c60f0e40ffd6a1300218ca368156fc1bf2
- https://extensions.typo3.org/extension/femanager
- https://github.com/in2code-de/femanager/releases/tag/6.3.1
- https://typo3.org/help/security-advisories/security
- https://typo3.org/security/advisory/typo3-ext-sa-2021-010
- http://packetstormsecurity.com/files/165675/TYPO3-femanager-6.3.0-Cross-Site-Scripting.html
- http://seclists.org/fulldisclosure/2022/Jan/53
Пакеты
Наименование
in2code/femanager
composer
Затронутые версииВерсия исправления
< 5.5.1
5.5.1
Наименование
in2code/femanager
composer
Затронутые версииВерсия исправления
>= 6.0.0, < 6.3.1
6.3.1
Связанные уязвимости
CVSS3: 5.4
nvd
больше 4 лет назад
The femanager extension before 5.5.1 and 6.x before 6.3.1 for TYPO3 allows XSS via a crafted SVG document.