Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-h4mx-xv96-2jgm: Cross-Site Scripting in Frontend Login Mailer

Meta

  • CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C (4.9)

Problem

User submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages.

Solution

Update to TYPO3 versions 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above.

Credits

Thanks to Christian Seifert who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue.

References

ghsa
Open in Source
#xss#perl

Package

Affected versions

>= 10.0.0, < 10.4.29

>= 11.0.0, < 11.5.11

Patched versions

10.4.29

11.5.11

>= 9.0.0, < 9.5.35

>= 10.0.0, < 10.4.29

>= 11.0.0, < 11.5.11

Related news

CVE-2022-31049: [SECURITY] Avoid HTML injection in password recovery mail · TYPO3/typo3@da61177

TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, user submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem.

ghsa: Latest News

GHSA-wphj-fx3q-84ch: systeminformation has a Command Injection vulnerability in fsSize() function on Windows
ghsa